US8001389B2 - Secure database access through partial encryption - Google Patents
Secure database access through partial encryption Download PDFInfo
- Publication number
- US8001389B2 US8001389B2 US12/036,076 US3607608A US8001389B2 US 8001389 B2 US8001389 B2 US 8001389B2 US 3607608 A US3607608 A US 3607608A US 8001389 B2 US8001389 B2 US 8001389B2
- Authority
- US
- United States
- Prior art keywords
- query
- document
- database
- sensitive
- results
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime, expires
Links
- 238000000034 method Methods 0.000 claims abstract description 51
- 238000012545 processing Methods 0.000 claims abstract description 13
- 238000004519 manufacturing process Methods 0.000 abstract description 5
- 238000012360 testing method Methods 0.000 description 24
- 238000003860 storage Methods 0.000 description 15
- 230000008901 benefit Effects 0.000 description 7
- 102000001554 Hemoglobins Human genes 0.000 description 6
- 108010054147 Hemoglobins Proteins 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000011160 research Methods 0.000 description 6
- 230000004044 response Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 239000000463 material Substances 0.000 description 4
- 238000013475 authorization Methods 0.000 description 3
- 206010034016 Paronychia Diseases 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 206010028980 Neoplasm Diseases 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 201000011510 cancer Diseases 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013499 data model Methods 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 201000010099 disease Diseases 0.000 description 1
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 1
- 238000005553 drilling Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 238000013024 troubleshooting Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
Definitions
- the present invention generally relates to data processing and more particularly to methods of secure access to a database.
- Databases are computerized information storage and retrieval systems.
- a relational database management system is a computer database management system (DBMS) that uses relational techniques for storing and retrieving data.
- DBMS computer database management system
- the most prevalent type of database is the relational database, a tabular database in which data is defined so that it can be reorganized and accessed in a number of different ways.
- a requesting entity e.g., an application or the operating system
- requests may include, for instance, simple catalog lookup requests or transactions and combinations of transactions that operate to read, change and add specified records in the database.
- SQL Structured Query Language
- IBM International Business Machines'
- Microsoft's SQL Server and database products from Oracle, Sybase, and Computer Associates.
- the term “query” denominates a set of commands for retrieving data from a stored database. Queries take the form of a command language that lets programmers and programs select, insert, update, find out the location of data, and so forth.
- Databases often contain confidential or otherwise sensitive material which require a degree of security to be protected from access.
- medical records are considered highly personal and confidential.
- Other examples of sensitive material include, but are certainly not limited to, credit card numbers and personal identification numbers (PINs) used to conduct financial transactions, and employee records.
- PINs personal identification numbers
- conventional database management systems often implement user profiles which specify a level of authority. Whether a user may access some particular data will depend upon the user's level of authority specified in their respective profile.
- SSL Secure Sockets Layer
- S-HTTP Secure HyperText Transfer Protocol
- the present invention generally provides methods, articles of manufacture, and systems for securing sensitive information in a database transaction.
- a method for generating a secure document generally includes providing a first document containing security attributes for one or more fields for use in generating a second document, the security attributes identifying whether a corresponding one of the fields is sensitive, generating the second document including one or more of the fields, and encrypting portions of the second document involving fields identified as sensitive in the first document.
- a method for conducting a secure database transaction generally includes receiving query results from a server, the query results containing both encrypted and unencrypted data, identifying the encrypted data, and presenting at least the unencrypted data to a user.
- a method for conducting a secure database transaction generally includes building a query having one or more conditions, each condition involving one or more fields, determining, for each of the conditions, whether the condition involves sensitive fields, and encrypting conditions determined to involve sensitive fields.
- a method for conducting a secure database transaction generally includes receiving a query from a requesting entity, issuing the query against a database, receiving results in response to issuing the query, determining whether the results includes data corresponding to one or more sensitive fields, if so, encrypting the data corresponding to the one or more sensitive fields, and sending the query results to the requesting entity.
- the article of manufacture generally includes a computer-readable medium containing a program which, when executed by a processor, performs operations for conducting a secure database transaction.
- the operations generally include generating a query having one or more conditions, each condition involving one or more fields, determining, for each of the conditions, whether the condition involves sensitive fields, and encrypting conditions determined to involve sensitive fields.
- the article of manufacture generally includes a computer-readable medium containing a program which, when executed by a processor, performs operations for conducting a secure database transaction.
- the operations generally include receiving a query from a requesting entity, issuing the query against a database, receiving results in response to issuing the query, determining whether the results includes data corresponding to one or more sensitive fields, if so, encrypting the data corresponding to the one or more sensitive fields, and, sending the query results to the requesting entity.
- a database system generally includes a database, a requesting entity and an executable component (e.g., a server process).
- the executable component is generally configured to a) receive a query from the requesting entity, b) issue the query against the database, c) determine if results received in response to issuing the query against the database contain data corresponding to one or more sensitive fields, d) if so, encrypt the data corresponding to the one or more sensitive fields, and e) send the results to the requesting entity.
- FIG. 1 is a computer system illustratively utilized in accordance with the present invention.
- FIG. 2A-2C are relational views of software components of one embodiment of the present invention.
- FIGS. 3A-3C are flow charts illustrating exemplary operations for securing sensitive information in accordance with the present invention.
- FIGS. 4A-4D illustrate exemplary graphical user interface (GUI) screens in accordance with the present invention.
- GUI graphical user interface
- the present invention generally is directed to systems, methods, and articles of manufacture for securing sensitive information involved in database transactions. Rather than take the conventional “all or nothing” approach to securing entire transactions (e.g., encrypting entire database queries and results), embodiments of the present invention selectively encrypt only portions of transactions involving sensitive data, thereby reducing or eliminating the processing overhead resulting from wastefully encrypting non-sensitive data.
- a document containing security attributes which identify sensitive fields is provided. Entities involved in transactions may access this document to determine what data to encrypt. For example, a requesting application may access the document to determine which portions of a query to encrypt while a database server may access the document to determine which portions of query results to encrypt.
- the term document generally refers to any file produced by an application. Accordingly, a document may contain human readable text (generated by a word processor or other type editor), machine readable data, or any data in any other type of format. For some embodiments, queries and/or results may be contained within a document. In the following description, to facilitate understanding, embodiments of the present invention will be described with reference to XML documents as a specific, but not limiting example of a type of document that may contain security attributes for fields involved in a database transaction.
- patient identification (ID) numbers may be regarded as sensitive information in the context of query results. With the patient ID, remaining query results may have context. For example, a sensitive test result may be related to the particular patient for which it corresponds. On the other hand, if the patient ID is removed (or secured such that only authorized users can view it), the remaining data becomes merely statistical in nature. In other words, the only valuable information that can be determined from the data without the patient ID is in context to the rest of the data, which may be useful for many applications, such as conducting medical research. For example, without the patient ID, a researcher may be able to determine that 20% of the patients in a sample have been diagnosed with cancer, but can not determine any one patient that has been diagnosed.
- the medical field is just one application environment in which aspects of the present invention may be used to advantage.
- Another example is a human resources application where large amounts of sensitive employee information (e.g., salary, performance, etc.) may be transmitted across a network in database transactions. By securing an employee ID, the remaining sensitive employee information may be transferred freely because, without the employee ID, the remaining employee information has no context.
- Another example is a marketing application, in which consumer transactions, tracked and recorded in a database, may be queried to conduct marketing research. The transaction records may contain sensitive information regarding consumers (e.g., credit card numbers, credit ratings, customer names, etc.), which may be secured allowing other information (e.g., items purchased, dates of purchases, etc.) to be freely transferred.
- security features are implemented as part of an abstract (logical) model of data (or data abstraction model).
- the data abstraction model is implemented as a data repository abstraction (DRA) component containing a collection of abstract representations of fields of data contained in the repository it models.
- DRA data repository abstraction
- a query abstraction layer is also provided and is based on the data abstraction model.
- a runtime component e.g., a query execution component
- performs translation of abstract queries (generated based on the data abstraction model) into a form that can be used against a particular physical data representation.
- One embodiment of the invention is implemented as a program product for use with a computer system such as, for example, the networked computer system 100 shown in FIG. 1 and described below.
- the program(s) of the program product defines functions of the embodiments (including the methods described herein) and can be contained on a variety of signal-bearing media.
- Illustrative signal-bearing media include, but are not limited to: (i) non-writable storage media (e.g., read-only memory devices within a computer such as CD-ROM disks readable by a CD-ROM drive) having alterable information stored thereon; and (ii) writable storage media (e.g., floppy disks within a diskette drive or hard-disk drive) having alterable information stored thereon.
- non-writable storage media e.g., read-only memory devices within a computer such as CD-ROM disks readable by a CD-ROM drive
- writable storage media e.g., floppy disks within a diskette drive or hard-disk drive
- routines executed to implement the embodiments of the invention may be part of an operating system or a specific application, component, program, module, object, or sequence of instructions.
- the software of the present invention typically is comprised of a multitude of instructions that will be translated by the native computer into a machine-readable format and hence executable instructions.
- programs are comprised of variables and data structures that either reside locally to the program or are found in memory or on storage devices.
- various programs described hereinafter may be identified based upon the application for which they are implemented in a specific embodiment of the invention. However, it should be appreciated that any particular nomenclature that follows is used merely for convenience, and thus the invention should not be limited to use solely in any specific application identified and/or implied by such nomenclature.
- FIG. 1 depicts a block diagram of the networked computer system 100 in which embodiments of the present invention may be implemented.
- the system 100 includes a client (e.g., user's) computer 102 (three such client computers 102 are shown) and at least one server 104 .
- the client computer 102 and the server computer 104 are connected via a network 126 .
- the network 126 may be a local area network (LAN) and/or a wide area network (WAN).
- the network 126 is the Internet.
- the client computer 102 includes a Central Processing Unit (CPU) 110 connected via a bus 130 to a memory 112 , storage 114 , an input device 116 , an output device 119 , and a network interface device 118 .
- the input device 116 can be any device to give input to the client computer 102 .
- a keyboard, keypad, light-pen, touch-screen, track-ball, or speech recognition unit, audio/video player, and the like could be used.
- the output device 119 can be any device to give output to the user, e.g., any conventional display screen. Although shown separately from the input device 116 , the output device 119 and input device 116 could be combined.
- a display screen with an integrated touch-screen, a display with an integrated keyboard, or a speech recognition unit combined with a text speech converter could be used.
- the network interface device 118 may be any entry/exit device configured to allow network communications between the client computer 102 and the server 104 via the network 126 .
- the network interface device 118 may be a network adapter or other network interface card (NIC).
- Storage 114 is preferably a Direct Access Storage Device (DASD). Although it is shown as a single unit, it could be a combination of fixed and/or removable storage devices, such as fixed disc drives, floppy disc drives, tape drives, removable memory cards, or optical storage. The memory 112 and storage 114 could be part of one virtual address space spanning multiple primary and secondary storage devices.
- DASD Direct Access Storage Device
- the memory 112 is preferably a random access memory sufficiently large to hold the necessary programming and data structures of the invention. While the memory 112 is shown as a single entity, it should be understood that the memory 112 may in fact comprise a plurality of modules, and that the memory 112 may exist at multiple levels, from high speed registers and caches to lower speed but larger DRAM chips.
- the memory 112 contains an operating system 124 .
- operating systems which may be used to advantage, include Linux and Microsoft's Windows®. More generally, any operating system supporting the functions disclosed herein may be used.
- the memory 112 is also shown containing a browser program 122 that, when executed on CPU 110 , provides support for navigating between the various servers 104 and locating network addresses at one or more of the servers 104 .
- the browser program 122 includes a web-based Graphical User Interface (GUI), which allows the user to display Hyper Text Markup Language (HTML) information. More generally, however, the browser program 122 may be any program (preferably GUI-based) capable of rendering the information transmitted to the client computer 102 from the server 104 .
- the browser program 122 may enable a user to conduct database transactions (e.g., build and issue queries) with the server 104 , for example, via one or more GUI screens that form a query building interface. In other words, queries issued by the client 102 may be sent to the server 104 over the network 126 (and results from the query will be sent from the server 104 to the client 102 ), thus prompting the need to secure sensitive information involved in the transaction.
- database transactions e.g., build and issue queries
- the server 104 may be physically arranged in a manner similar to the client computer 102 . Accordingly, the server 104 is shown generally comprising a CPU 131 , a memory 132 , and a storage device 134 , coupled to one another by a bus 136 .
- Memory 132 may be a random access memory sufficiently large to hold the necessary programming and data structures that are located on the server 104 .
- the server 104 is generally under the control of an operating system 138 shown residing in memory 132 .
- Examples of the operating system 138 include IBM OS/400®, UNIX, Microsoft Windows®, and the like. More generally, any operating system capable of supporting the functions described herein may be used.
- the memory 132 further includes one or more applications 140 and an abstract query interface 146 .
- the applications 140 and the abstract query interface 146 are software products comprising a plurality of instructions that are resident at various times in various memory and storage devices in the server 104 .
- the applications 140 and the abstract query interface 146 When read and executed by one or more processors 131 in the server 104 , the applications 140 and the abstract query interface 146 cause the computer system 100 to perform the steps necessary to execute steps or elements embodying the various aspects of the invention.
- the applications 140 (and more generally, any requesting entity, including the operating system 138 and, at the highest level, users) issue queries against a database (e.g., databases 156 1 , 156 2 . . . 156 N , collectively referred to as databases 156 ).
- a database e.g., databases 156 1 , 156 2 . . . 156 N , collectively referred to as databases 156 .
- the databases 156 are shown as part of a database management system (DBMS) 154 in storage 134 .
- the databases 156 are representative of any collection of data regardless of the particular physical representation.
- the databases 156 may be organized according to a relational schema (accessible by SQL queries) or according to an XML schema (accessible by XML queries).
- the invention is not limited to a particular schema and contemplates extension to schemas presently unknown.
- the term “schema” generically refers to a particular arrangement of data.
- the queries issued by the applications 140 are defined according to an application query specification 142 included with each application 140 .
- the queries issued by the applications 140 may be predefined (i.e., hard coded as part of the applications 140 ) or may be generated in response to input (e.g., user input).
- the queries (referred to herein as “abstract queries”) are composed/executed using logical fields defined by the abstract query interface 146 .
- the concepts of data abstraction and abstract queries are described in detail in the commonly owned, co-pending application Ser. No. 10/083,075, entitled “Improved Application Portability And Extensibility Through Database Schema And Query Abstraction,” filed Feb. 26, 2002, herein incorporated by reference in its entirety.
- the logical fields used in the abstract queries are defined by a data repository abstraction (DRA) component 148 of the abstract query interface 146 .
- the abstract queries are executed by a query execution component 150 which first transforms the abstract queries into a form consistent with the physical representation of the data contained in the DBMS 154 .
- the DRA component 148 is configured with encryption information 162 .
- the encryption information 162 may reside elsewhere. As will be described in more detail below, the encryption information 162 may identify fields within the databases 156 that contain sensitive information and should, therefore, be encrypted.
- the query execution component 150 operates to perform various analyses and, in some embodiments, implement various security features, such as encrypting sensitive information contained within a query or results, or take other actions according the results of the analyses performed. Accordingly, the query execution component 150 is shown configured with an encryption algorithm 151 (which may be representative of a plurality of algorithms), which implements the methods described herein. In general, the security features described herein may be applied to a particular user, a group of users, or all users.
- GUI graphical user interface
- the content of the GUIs is generated by the application(s) 140 .
- the GUI content is hypertext markup language (HTML) content which may be rendered on the client computer systems 102 with the browser program 122 .
- the memory 132 includes a Hypertext Transfer Protocol (http) server process 152 (e.g., a web server) adapted to service requests from the client computer 102 .
- http Hypertext Transfer Protocol
- the server process 152 may respond to requests to access the database(s) 156 , which illustratively resides on the server 104 .
- Incoming client requests for data from a database 156 invoke an application 140 .
- the application 140 When executed by the processor 131 , the application 140 causes the server 104 to perform the steps or elements embodying the various aspects of the invention, including accessing the database(s) 156 .
- the application 140 comprises a plurality of servlets configured to build GUI elements, which are then rendered by the browser program 122 .
- FIG. 1 is merely one hardware/software configuration for the networked client computer 102 and server 104 .
- Embodiments of the present invention can apply to any comparable hardware configuration, regardless of whether the computer systems are complicated, multi-user computing apparatus, single-user workstations, or network appliances that do not have non-volatile storage of their own.
- particular markup languages including HTML
- the invention is not limited to a particular language, standard or version. Accordingly, persons skilled in the art will recognize that the invention is adaptable to other markup languages as well as non-markup languages and that the invention is also adaptable to future changes in a particular markup language as well as to other languages presently unknown.
- the http server process 152 shown in FIG. 1 is merely illustrative and other embodiments adapted to support any known and unknown protocols are contemplated.
- FIGS. 2A-C illustrate relational views of components of the invention.
- the requesting entity e.g., one of the applications 140
- the resulting query 202 is generally referred to herein as an “abstract query” because the query is composed according to abstract (i.e., logical) fields rather than by direct reference to the underlying physical data entities in the previously described DBMS 154 .
- abstract queries may be defined that are independent of the particular underlying data representation used.
- FIG. 2B shows one example of the abstract query 202 .
- the abstract query 202 may include both criteria (e.g., query conditions) used for data selection (selection criteria 204 ) and an explicit specification of the fields to be returned (return data specification 206 ) based on the selection criteria 204 , both of which may be specified in the application query specification 142 .
- criteria e.g., query conditions
- return data specification 206 an explicit specification of the fields to be returned
- the abstract query is designed to return information (ID, test results, and date of test) regarding patients that had hemoglobin tests performed in Rochester.
- An illustrative abstract query corresponding to the abstract query 202 shown in FIG. 2B is shown in Table I below.
- the abstract query 202 is defined using XML. However, any other language may be used to advantage.
- the abstract query shown in Table I includes a selection specification (lines 5-11) containing selection criteria and a results specification (lines 12-16).
- result specification is a list of abstract fields that are to be returned as a result of query execution.
- a result specification in the abstract query may consist of a field name and formatting options, such as sorting criteria.
- the logical fields specified by the application query specification 142 and used to compose the abstract query 202 are defined by the DRA component 148 .
- the DRA component 148 exposes information as a set of logical fields that may be used within a query (e.g., the abstract query 202 ) issued by the application 140 (which may be in response to user input query conditions) to specify criteria for data selection and specify the form of result data returned from a query operation.
- the logical fields are defined independently of the underlying data representation being used in the DBMS 154 , thereby allowing queries to be formed that are loosely coupled to the underlying data representation.
- the DRA component 148 comprises a plurality of field specifications 208 1 , 208 2 , 208 3 , . . . (three shown by way of example), collectively referred to as the field specifications 208 .
- a field specification is provided for each logical field available for composition of an abstract query.
- a field specification 208 comprises a logical field name 210 1 , 210 2 , 210 3 (collectively, field name 210 ) and an associated access method 212 1 , 212 2 , 212 1 (collectively, access method 212 ).
- the access methods 212 associate (i.e., map) the logical field names to a particular physical data representation 214 1 , 214 2 . . .
- a database e.g., one of the databases 156 .
- a database e.g., one of the databases 156 .
- two data representations are shown in FIG. 2A , an XML data representation 214 1 and a relational data representation 214 2 .
- the physical data representation 214 N indicates that any other data representation, known or unknown, is contemplated.
- a single DRA component 148 contains field specifications (with associated access methods) for two or more physical data representations 214 .
- a different single DRA component 148 is provided for each separate physical data representation 214 .
- multiple data repository abstraction components 148 are provided, where each DRA component 148 exposes different portions of the same underlying physical data (which may comprise one or more physical data representations 214 ). In this manner, a single application 140 may be used simultaneously by multiple users to access the same underlying data where the particular portions of the underlying data exposed to the application are determined by the respective DRA component 148 .
- access methods for simple fields, filtered fields and composed fields are provided.
- the field specifications 208 1 , 208 2 and 208 3 exemplify simple field access methods 212 1 , 212 2 and 212 3 , respectively.
- Simple fields are mapped directly to a particular entity in the underlying physical data representation (e.g., a field mapped to a given database table and column).
- the simple field access method 212 1 shown in FIG. 2B maps the logical field name 210 1 (“Test”) to a column named “test_type” in a table named “test_records.”
- Filtered fields identify an associated physical entity and provide rules used to define a particular subset of items within the physical data representation.
- An example of a filtered field is a New York ZIP code field that maps to the physical representation of ZIP codes and restricts the data only to those ZIP codes defined for the state of New York.
- Composed access methods compute a logical field from one or more physical fields using an expression supplied as part of the access method definition. In this way, information which does not exist in the underlying data representation may be computed.
- An example is a sales tax field that is composed by multiplying a sales price field by a sales tax rate.
- the formats for any given data type (e.g., dates, decimal numbers, etc.) of the underlying data may vary.
- the field specifications 208 include a type attribute which reflects the format of the underlying data.
- the data format of the field specifications 208 is different from the associated underlying physical data, in which case an access method is responsible for returning data in the proper format assumed by the requesting entity.
- the access method must know what format of data is assumed (i.e., according to the logical field) as well as the actual format of the underlying physical data. The access method can then convert the underlying physical data into the format of the logical field.
- the field specifications 208 of the DRA component 148 shown in FIG. 2 are representative of logical fields mapped to data represented in the relational data representation 214 2 .
- other instances of the DRA component 148 map logical fields to other physical data representations, such as XML.
- one or more of the field specifications 208 are configured with the encryption information 162 briefly described above with reference to FIGS. 1 and 2A .
- the encryption information 162 is an encryption attribute 216 .
- the encryption attribute 216 may be assigned a Boolean value, for example, with YES (ENABLED, TRUE, 1, etc.) indicating the corresponding logical field is sensitive and should, therefore, be encrypted. It should be understood that the encryption attribute need not be designated in the DRA component 148 , but could instead be a provided in a configuration file, for example.
- a Boolean encryption attribute that indicates a field is sensitive another security attribute, such as an integer value indicative of, for example, an authorized user group or user security level required for viewing encrypted results containing the sensitive data or query conditions involving a sensitive field.
- another security attribute such as an integer value indicative of, for example, an authorized user group or user security level required for viewing encrypted results containing the sensitive data or query conditions involving a sensitive field.
- a list of user profiles 153 (a plurality of which are shown in FIG. 1 ) containing a security level (user ID, or user group) for individual users may be maintained.
- the security level (or other type of user credentials) may be compared against this other type security attribute to determine whether queries containing a sensitive field, or query results involving the sensitive field, should be presented to the user in a viewable manner (decrypted/unencrypted).
- Any type of suitable algorithm may be utilized to encrypt sensitive fields.
- encryption algorithms based on public and private keys may be used to encrypt and decrypt, respectively, sensitive portions of database transactions.
- suitable encryption algorithms include, but are not limited to, RSA, DES, SHA, and MD5 algorithms.
- the type of encryption algorithm may be specified in the DRA component 148 , rather than utilizing a “hard coded” algorithm agreed upon by the server and requesting client.
- different algorithms may be specified in the DRA component 148 (e.g. as part of encryption information 162 ), which may enhance security, for example, further decreasing the likelihood an unauthorized viewer will be able to decrypt the sensitive portions.
- query results 220 returned by the query execution component 150 may contain both viewable results 222 and encrypted results 224 .
- Table II shows illustrative return results for the example query 202 shown in FIG. 2B .
- the results include two rows of data (lines 2-13 and lines 14-25) and the return results are shown in XML.
- any other language may be used to advantage.
- the Patient ID field is sensitive and is, therefore, encrypted, as shown in lines 4-9 and lines 15-20.
- the other logical fields in the return results (test results in lines 11 and 23, date of test in lines 12 and 24) are returned unencrypted. Accordingly, even if the illustrated return results were intercepted, for example, by an unauthorized eavesdropper, the Patient ID would not be obtained and the remaining results would have no context and, therefore, little value outside statistical research.
- the return results 220 are received by the requesting entity (e.g., the application 140 or the client browser program 122 shown in FIG.
- the encrypted results may be decrypted and presented to the user in viewable form, may remain encrypted with an indication to the user that the results are encrypted, or may not be displayed to the user at all. Further, as will be described in greater detail below, in order to facilitate manipulation of query results (e.g., sorting, building related queries, etc.), encrypted results may be decrypted and stored as temporary results 230 .
- query conditions involving sensitive fields may also be encrypted, which may prevent sensitive information from being transmitted as text on wire.
- the sensitive information may be provided by the query.
- FIGS. 3A-3C illustrate exemplary operations for securing sensitive information in database transactions according to various aspects of the present invention.
- FIG. 3A illustrates exemplary operations 300 for securing sensitive information by encrypting query conditions involving sensitive logical fields.
- the operations 300 may be performed by any requesting entity, such as the browser program 122 of the client 102 , to encrypt sensitive information contained in a query prior to transmitting the query over the network 126 .
- the operations 300 begin at step 302 , for example, by invoking an application (e.g., the browser program 122 ) from which queries may be built and/or issued.
- the user builds a query.
- a loop of operations ( 308 - 312 ) is performed for each condition in the query, for example, in preparation for issuing the query.
- encryption attributes e.g., encryption attributes 216
- a determination is made, based on the retrieved encryption attributes, as to whether any of the fields involved in the condition are sensitive fields. For example, if the encryption attributes is a Boolean variable, the determination may entail simply testing to see if encryption is enabled for the corresponding field.
- the condition is encrypted, at step 312 , otherwise the condition is not encrypted. In either case, processing proceeds to step 306 to select the next condition (if any).
- the query is issued. For example, the query may be transmitted from the client 102 to the server 104 over the network 126 .
- FIG. 3B illustrates exemplary operations 320 that may be performed, for example, by the server 104 (e.g., the application 140 and/or query execution component 150 ) receiving the issued query containing encrypted query conditions.
- the operations 320 begin, at step 322 , by receiving the query from the requesting entity (e.g., the browser program 122 ).
- a loop of operations (steps 325 - 326 ) is performed for each condition in the query, in order to decrypt any encrypted conditions.
- a determination is made, as to whether the condition is encrypted. The determination may be made based on an indication provided in the query itself. For example, as indicated in TABLE I, the query may take the form of an XML document and, as illustrated in the query results example shown in TABLE II, in the XML document encrypted data may be tagged as such.
- the condition is decrypted at step 326 .
- Well known techniques may be used to enable the server 104 to decrypt the conditions. For example, the client 102 and server 104 may exchange a common set of encryption keys for use in the encrypting/decrypting of data. Processing then proceeds to step 324 to select the next condition (if any). Once each encrypted condition has been decrypted, processing proceeds to step 328 to issue the query (e.g., against the DBMS 154 ).
- the query execution runtime component 150 may first convert the query from an abstract form into a concrete form compatible with the specific underlying physical representation 214 .
- results from issuing the query are received and, at step 332 , a loop of operations ( 334 - 336 ) are performed to determine if any of the results fields are sensitive.
- a determination is made as to whether the field is secured, for example, by accessing the encryption attribute for the field stored in the DRA component 148 . If it is determined that the field is sensitive, the field is encrypted, at step 336 , otherwise, the field is not encrypted. In either case, processing proceeds to step 332 to select the next field.
- the operations 334 - 336 have been performed for each field, the results are returned to the requesting entity, at step 338 . For example, as illustrated in FIG. 2C , results 220 including both viewable (non-encrypted) results 222 and encrypted results 224 may be forwarded to the server application 140 to be sent to the client 102 over the network 126 .
- FIG. 3C illustrates exemplary operations 340 that may be performed by the requesting entity, (e.g., the client 102 or browser program 122 ) to process the results 220 received from the server 104 .
- the operations 340 begin at step 342 , for example, after issuing the query and, at step 344 , the results are received.
- encrypted results may be simply identified (e.g., indicated or “tagged” in an XML document containing the results) and decrypted by the receiving entity.
- an additional level of security may be provided, for example, based on user credentials (e.g., indicating whether the user is authorized to view the encrypted results).
- a user profile (e.g., one of the user profiles 153 illustrated in FIG. 1 containing user credentials) is obtained.
- a loop of operations ( 350 - 354 ) is performed for each results field, to determine if the user is authorized to view the results.
- encryption attributes for the field are retrieved. As previously described, the encryption attributes for the field may include, not only whether the field is sensitive, but a security level required to view the results (an authorized user group, etc.).
- a determination is made, based on the encryption attributes and the user profile, as to whether the user is authorized to view the results for the field.
- the encryption attributes indicate the field is not sensitive, the results are not encrypted anyway and, therefore, may be displayed without regard to the user profile.
- the field is sensitive (i.e., the results are encrypted)
- a security level or user group contained in the user profile may be compared against a corresponding encryption attribute to determine if the user is authorized to view the encrypted data. If it is determined the user is authorized to view the results for the field, the results are (decrypted and) displayed, at step 354 .
- the remaining (unencrypted or decrypted) results may still be displayed to the user, along with an indication that one or more of the results fields is encrypted and, therefore, not displayed to the user.
- encrypted fields the user is not authorized to view may be simply be removed from the results set (or not displayed). Regardless, once the operations 350 - 354 have been performed for all the results fields, the operations 340 are exited at step 360 .
- indication may be provided to a user building a query that one or more fields involved in the query are sensitive and will, therefore, be encrypted.
- 4A illustrates an exemplary graphical user interface (GUI) screen that may be used to generate queries. As shown, the GUI screen 400 may allow the user to add query conditions and results conditions. In the illustrated query being built, an indication is provided that Patient ID, shown in the results field will be encrypted in the query results.
- GUI graphical user interface
- FIG. 4B illustrates an exemplary GUI screen 450 that may be used to display query results (e.g., from issuing a query built with the GUI screen 400 ).
- query results e.g., from issuing a query built with the GUI screen 400 .
- an indication is provided that the Patient ID field is encrypted and, therefore data from the field is not displayed (e.g., the data returned for the field is hidden from the user).
- the other non-sensitive results fields (“Hemoglobin Test Results” and “Date of Test”) are displayed.
- security may be user or group based and whether a field is displayed to a particular user may be determined by the user's security level (or other credential, such as a user group).
- a first user (assigned a first security level) may be not be able to view patient IDs in their queries, while a second user (assigned a second security level) may be able to view patient IDs (unencrypted).
- the patient IDs may be encrypted with the second user's public key such that the second user could decrypt them for viewing.
- a user's security level may change, allowing them to view encrypted data they were previously unauthorized to view. For example, a researcher looking at data to determine if there is enough data to support a theory may be prohibited from viewing patient IDs, which may not be necessary for the collection of data. However, upon realizing the data may support additional findings, the researcher may request (e.g., of an administrative board) authorization to see Patient IDs in order to identify potential research candidates. Rather than re-run the queries and generate new results, the Patient IDs encrypted in the query results may be decrypted for viewing by the user.
- FIGS. 4B and 4C An example of this scenario is illustrated in FIGS. 4B and 4C .
- the user (“Researcher 1 ”) has a Security Level of 2, which is not adequate to provide authorization to view Patient IDs.
- the user's Security Level has been changed to a Security Level of 1 (a higher security level in this example) which provides sufficient authorization to view the Patient IDs. Accordingly, the Patient IDs, while hidden from the user in FIG. 4B , are displayed to the user in FIG. 4C .
- encrypted (sensitive) results fields may be decrypted and stored as temporary results (e.g., temporary results 230 of FIG. 2C ).
- temporary results e.g., temporary results 230 of FIG. 2C .
- a number of advantages may be gained by storing (completely decrypted) temporary results. For example, if the user's security level changes, as described above, the decrypted results may be readily retrieved from the temporary results.
- Another advantage in using temporary results is that the user may build additional queries, based on query results, even though the results are hidden from the user (i.e., the user is not authorized to view the results). As a result, the user may be able to perform complex research, “drilling down” to details related to specific results even without viewing sensitive portions of the results.
- a medical researcher may collect a list of patients, for example, with a common disease. While the patient IDs may be hidden from the researcher, the researcher may still be able to build a query based on a patient ID, to gain additional details regarding a particular patient.
- the researcher may wish to collect a complete list of tests that a patient has previously had performed (e.g., results from an initial query may have indicated a condition that may be verified by additional tests).
- An example of this scenario is illustrated in FIG. 4B and FIG. 4D .
- a user may be given the option to retrieve a full list of tests performed for a patient whose ID is hidden from the user. If the user exercises this option, as illustrated in FIG. 4D , the user may be provided with the GUI screen 400 already containing the necessary query conditions (based on the hidden field) to return the list of tests.
- the field Patient ID
- the user may know the nature of the query, but not the specific values involved.
- this example is specific to medical research, similar functionality may be provided for other application environments (e.g., a criminal investigator may be allowed to “Retrieve all prior convictions” of a convicted felon without knowing the actual identity of the felon).
- Allowing a user to generate and/or issue queries based on sensitive encrypted fields the user is not authorized to view may also be advantageous in various other situations. For example, for some embodiments, in an effort to facilitate the query building process, queries created by one user may be saved for later reuse by another user. By allowing queries to be built without displaying sensitive fields to unauthorized users, queries built by a first user having a first (higher) security level may be reused by a second user having a second (lower) security level. Examples of query reuse are described in the commonly assigned application Ser. No. 10/264,188, entitled “SQL Query Construction Using Durable Query Components,” filed Oct. 3, 2002, herein incorporated by reference in its entirety.
- database fields containing sensitive information may be identified in a document that may be accessed by a database server and requesting client.
- the requesting client may access the document to identify sensitive fields that may be encrypted in a query to prevent unauthorized users from extracting information from the query (e.g., correlating the query results to a particular condition).
- the database server may first access the document to identify fields in a received query that are encrypted and, therefore, need to be decrypted to issue the query against the database. Further, after issuing the query, the database server may access the document to identify sensitive fields in the query results.
- query results identified as sensitive may be encrypted prior to returning the results.
- partial encryption of query results may be particularly advantageous when large amounts (e.g., thousands of rows) of data are returned in a single query, with only a small fraction of the data being sensitive.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The present invention generally is directed to systems, methods, and articles of manufacture for securing sensitive information involved in database transactions. Embodiments of the present invention selectively encrypt only portions of transactions involving sensitive data, thereby reducing or eliminating the processing overhead resulting from wastefully encrypting non-sensitive data. The sensitive data may be identified by a document. The document may be accessed by a requesting entity to determine which portions of a query should be encrypted prior to sending the query to a database server over a network. The document may also be accessed by a database server to determine which portions of query results should be encrypted prior to sending the query results to the requesting entity over the network.
Description
This application is a divisional of U.S. patent application Ser. No. 10/388,074, filed Mar. 13, 2003 now U.S. Pat. No. 7,418,600, which is herein incorporated by reference.
1. Field of the Invention
The present invention generally relates to data processing and more particularly to methods of secure access to a database.
2. Description of the Related Art
Databases are computerized information storage and retrieval systems. A relational database management system is a computer database management system (DBMS) that uses relational techniques for storing and retrieving data. The most prevalent type of database is the relational database, a tabular database in which data is defined so that it can be reorganized and accessed in a number of different ways.
Regardless of the particular architecture, in a DBMS, a requesting entity (e.g., an application or the operating system) demands access to a specified database by issuing a database access request. Such requests may include, for instance, simple catalog lookup requests or transactions and combinations of transactions that operate to read, change and add specified records in the database. These requests are made using high-level query languages such as the Structured Query Language (SQL). Illustratively, SQL is used to make interactive queries for getting information from and updating a database such as International Business Machines' (IBM) DB2, Microsoft's SQL Server, and database products from Oracle, Sybase, and Computer Associates. The term “query” denominates a set of commands for retrieving data from a stored database. Queries take the form of a command language that lets programmers and programs select, insert, update, find out the location of data, and so forth.
One significant issue in the context of databases is security. Databases often contain confidential or otherwise sensitive material which require a degree of security to be protected from access. For example, medical records are considered highly personal and confidential. As such, access to medical records is typically restricted to selected users. Other examples of sensitive material include, but are certainly not limited to, credit card numbers and personal identification numbers (PINs) used to conduct financial transactions, and employee records. To this end, conventional database management systems often implement user profiles which specify a level of authority. Whether a user may access some particular data will depend upon the user's level of authority specified in their respective profile.
However, through the use of intrusive hacking techniques (snooping, spoofing, and other forms of eavesdropping), unauthorized people may still gain access to sensitive information by intercepting database queries or query results containing the sensitive information. This problem is compounded by the fact that the high level languages used to generate queries are, by design, highly readable (e.g., to facilitate the building, interpreting, and troubleshooting of queries). In other words, because queries and results are often transmitted over a network as highly readable “text on wire,” sensitive material contained therein may be readily identified if intercepted by an unauthorized user.
One technique to secure sensitive material within database transactions is through the use of protocols commonly used for secure transmission of data over the Internet, such as Secure Sockets Layer (SSL) or Secure HyperText Transfer Protocol (S-HTTP). Such protocols take an all or nothing approach, encrypting entire documents, or an entire session's worth of transactions. However, because many database queries return vast amounts of data (possibly thousands of results records), encrypting the entire set of results may place an undue burden on system resources. Particularly in cases where only a small fraction of the results needs to be secured (e.g., a 16 character credit card number, a patient identification number, etc.), encrypting the entire results would be wasteful.
Accordingly, there is a need for an improved method for securing sensitive information in a database transaction.
The present invention generally provides methods, articles of manufacture, and systems for securing sensitive information in a database transaction.
For some embodiments, a method for generating a secure document generally includes providing a first document containing security attributes for one or more fields for use in generating a second document, the security attributes identifying whether a corresponding one of the fields is sensitive, generating the second document including one or more of the fields, and encrypting portions of the second document involving fields identified as sensitive in the first document.
For some embodiments, a method for conducting a secure database transaction generally includes receiving query results from a server, the query results containing both encrypted and unencrypted data, identifying the encrypted data, and presenting at least the unencrypted data to a user.
For some embodiments, a method for conducting a secure database transaction generally includes building a query having one or more conditions, each condition involving one or more fields, determining, for each of the conditions, whether the condition involves sensitive fields, and encrypting conditions determined to involve sensitive fields.
For some embodiments, a method for conducting a secure database transaction generally includes receiving a query from a requesting entity, issuing the query against a database, receiving results in response to issuing the query, determining whether the results includes data corresponding to one or more sensitive fields, if so, encrypting the data corresponding to the one or more sensitive fields, and sending the query results to the requesting entity.
For some embodiments, the article of manufacture generally includes a computer-readable medium containing a program which, when executed by a processor, performs operations for conducting a secure database transaction. The operations generally include generating a query having one or more conditions, each condition involving one or more fields, determining, for each of the conditions, whether the condition involves sensitive fields, and encrypting conditions determined to involve sensitive fields.
For some embodiments, the article of manufacture generally includes a computer-readable medium containing a program which, when executed by a processor, performs operations for conducting a secure database transaction. The operations generally include receiving a query from a requesting entity, issuing the query against a database, receiving results in response to issuing the query, determining whether the results includes data corresponding to one or more sensitive fields, if so, encrypting the data corresponding to the one or more sensitive fields, and, sending the query results to the requesting entity.
For some embodiments a database system generally includes a database, a requesting entity and an executable component (e.g., a server process). The executable component is generally configured to a) receive a query from the requesting entity, b) issue the query against the database, c) determine if results received in response to issuing the query against the database contain data corresponding to one or more sensitive fields, d) if so, encrypt the data corresponding to the one or more sensitive fields, and e) send the results to the requesting entity.
So that the manner in which the above recited features, advantages and objects of the present invention are attained and can be understood in detail, a more particular description of the invention, briefly summarized above, may be had by reference to the embodiments thereof which are illustrated in the appended drawings.
It is to be noted, however, that the appended drawings illustrate only typical embodiments of this invention and are therefore not to be considered limiting of its scope, for the invention may admit to other equally effective embodiments.
The present invention generally is directed to systems, methods, and articles of manufacture for securing sensitive information involved in database transactions. Rather than take the conventional “all or nothing” approach to securing entire transactions (e.g., encrypting entire database queries and results), embodiments of the present invention selectively encrypt only portions of transactions involving sensitive data, thereby reducing or eliminating the processing overhead resulting from wastefully encrypting non-sensitive data.
According to some embodiments, a document containing security attributes which identify sensitive fields (e.g., fields that hold sensitive information) is provided. Entities involved in transactions may access this document to determine what data to encrypt. For example, a requesting application may access the document to determine which portions of a query to encrypt while a database server may access the document to determine which portions of query results to encrypt. As used herein, the term document generally refers to any file produced by an application. Accordingly, a document may contain human readable text (generated by a word processor or other type editor), machine readable data, or any data in any other type of format. For some embodiments, queries and/or results may be contained within a document. In the following description, to facilitate understanding, embodiments of the present invention will be described with reference to XML documents as a specific, but not limiting example of a type of document that may contain security attributes for fields involved in a database transaction.
A wide variety of types of information may be regarded as sensitive. As an example, patient identification (ID) numbers may be regarded as sensitive information in the context of query results. With the patient ID, remaining query results may have context. For example, a sensitive test result may be related to the particular patient for which it corresponds. On the other hand, if the patient ID is removed (or secured such that only authorized users can view it), the remaining data becomes merely statistical in nature. In other words, the only valuable information that can be determined from the data without the patient ID is in context to the rest of the data, which may be useful for many applications, such as conducting medical research. For example, without the patient ID, a researcher may be able to determine that 20% of the patients in a sample have been diagnosed with cancer, but can not determine any one patient that has been diagnosed.
Of course, the medical field is just one application environment in which aspects of the present invention may be used to advantage. Another example is a human resources application where large amounts of sensitive employee information (e.g., salary, performance, etc.) may be transmitted across a network in database transactions. By securing an employee ID, the remaining sensitive employee information may be transferred freely because, without the employee ID, the remaining employee information has no context. Another example is a marketing application, in which consumer transactions, tracked and recorded in a database, may be queried to conduct marketing research. The transaction records may contain sensitive information regarding consumers (e.g., credit card numbers, credit ratings, customer names, etc.), which may be secured allowing other information (e.g., items purchased, dates of purchases, etc.) to be freely transferred.
In one embodiment of the present invention, security features are implemented as part of an abstract (logical) model of data (or data abstraction model). The data abstraction model is implemented as a data repository abstraction (DRA) component containing a collection of abstract representations of fields of data contained in the repository it models. Thus, the DRA component provides a logical view of the underlying modeled data repository. In this way, data is made independent of the particular manner in which the data is physically represented. A query abstraction layer is also provided and is based on the data abstraction model. A runtime component (e.g., a query execution component) performs translation of abstract queries (generated based on the data abstraction model) into a form that can be used against a particular physical data representation. However, while the data abstraction model described herein provides one or more embodiments of the invention, persons skilled in the art will recognize that the concepts provided herein can be implemented without such a data abstraction model while still providing the same or similar results.
One embodiment of the invention is implemented as a program product for use with a computer system such as, for example, the networked computer system 100 shown in FIG. 1 and described below. The program(s) of the program product defines functions of the embodiments (including the methods described herein) and can be contained on a variety of signal-bearing media. Illustrative signal-bearing media include, but are not limited to: (i) non-writable storage media (e.g., read-only memory devices within a computer such as CD-ROM disks readable by a CD-ROM drive) having alterable information stored thereon; and (ii) writable storage media (e.g., floppy disks within a diskette drive or hard-disk drive) having alterable information stored thereon. Such signal-bearing media, when carrying computer-readable instructions that direct the functions of the present invention, represent embodiments of the present invention.
In general, the routines executed to implement the embodiments of the invention, may be part of an operating system or a specific application, component, program, module, object, or sequence of instructions. The software of the present invention typically is comprised of a multitude of instructions that will be translated by the native computer into a machine-readable format and hence executable instructions. Also, programs are comprised of variables and data structures that either reside locally to the program or are found in memory or on storage devices. In addition, various programs described hereinafter may be identified based upon the application for which they are implemented in a specific embodiment of the invention. However, it should be appreciated that any particular nomenclature that follows is used merely for convenience, and thus the invention should not be limited to use solely in any specific application identified and/or implied by such nomenclature.
The client computer 102 includes a Central Processing Unit (CPU) 110 connected via a bus 130 to a memory 112, storage 114, an input device 116, an output device 119, and a network interface device 118. The input device 116 can be any device to give input to the client computer 102. For example, a keyboard, keypad, light-pen, touch-screen, track-ball, or speech recognition unit, audio/video player, and the like could be used. The output device 119 can be any device to give output to the user, e.g., any conventional display screen. Although shown separately from the input device 116, the output device 119 and input device 116 could be combined. For example, a display screen with an integrated touch-screen, a display with an integrated keyboard, or a speech recognition unit combined with a text speech converter could be used.
The network interface device 118 may be any entry/exit device configured to allow network communications between the client computer 102 and the server 104 via the network 126. For example, the network interface device 118 may be a network adapter or other network interface card (NIC).
The memory 112 is preferably a random access memory sufficiently large to hold the necessary programming and data structures of the invention. While the memory 112 is shown as a single entity, it should be understood that the memory 112 may in fact comprise a plurality of modules, and that the memory 112 may exist at multiple levels, from high speed registers and caches to lower speed but larger DRAM chips.
Illustratively, the memory 112 contains an operating system 124. Illustrative operating systems, which may be used to advantage, include Linux and Microsoft's Windows®. More generally, any operating system supporting the functions disclosed herein may be used.
The memory 112 is also shown containing a browser program 122 that, when executed on CPU 110, provides support for navigating between the various servers 104 and locating network addresses at one or more of the servers 104. In one embodiment, the browser program 122 includes a web-based Graphical User Interface (GUI), which allows the user to display Hyper Text Markup Language (HTML) information. More generally, however, the browser program 122 may be any program (preferably GUI-based) capable of rendering the information transmitted to the client computer 102 from the server 104. For some embodiments, the browser program 122 may enable a user to conduct database transactions (e.g., build and issue queries) with the server 104, for example, via one or more GUI screens that form a query building interface. In other words, queries issued by the client 102 may be sent to the server 104 over the network 126 (and results from the query will be sent from the server 104 to the client 102), thus prompting the need to secure sensitive information involved in the transaction.
The server 104 may be physically arranged in a manner similar to the client computer 102. Accordingly, the server 104 is shown generally comprising a CPU 131, a memory 132, and a storage device 134, coupled to one another by a bus 136. Memory 132 may be a random access memory sufficiently large to hold the necessary programming and data structures that are located on the server 104.
The server 104 is generally under the control of an operating system 138 shown residing in memory 132. Examples of the operating system 138 include IBM OS/400®, UNIX, Microsoft Windows®, and the like. More generally, any operating system capable of supporting the functions described herein may be used.
The memory 132 further includes one or more applications 140 and an abstract query interface 146. The applications 140 and the abstract query interface 146 are software products comprising a plurality of instructions that are resident at various times in various memory and storage devices in the server 104. When read and executed by one or more processors 131 in the server 104, the applications 140 and the abstract query interface 146 cause the computer system 100 to perform the steps necessary to execute steps or elements embodying the various aspects of the invention. The applications 140 (and more generally, any requesting entity, including the operating system 138 and, at the highest level, users) issue queries against a database (e.g., databases 156 1, 156 2 . . . 156 N, collectively referred to as databases 156). For some embodiments, one of more of the applications 140 and/or the abstract query interface 146 may interact with various software components of the client 102, such as the browser program 122, allowing the client 102 to issue queries against the databases 156.
Illustratively, the databases 156 are shown as part of a database management system (DBMS) 154 in storage 134. The databases 156 are representative of any collection of data regardless of the particular physical representation. By way of illustration, the databases 156 may be organized according to a relational schema (accessible by SQL queries) or according to an XML schema (accessible by XML queries). However, the invention is not limited to a particular schema and contemplates extension to schemas presently unknown. As used herein, the term “schema” generically refers to a particular arrangement of data.
In one embodiment, the queries issued by the applications 140 are defined according to an application query specification 142 included with each application 140. The queries issued by the applications 140 may be predefined (i.e., hard coded as part of the applications 140) or may be generated in response to input (e.g., user input). In either case, the queries (referred to herein as “abstract queries”) are composed/executed using logical fields defined by the abstract query interface 146. The concepts of data abstraction and abstract queries are described in detail in the commonly owned, co-pending application Ser. No. 10/083,075, entitled “Improved Application Portability And Extensibility Through Database Schema And Query Abstraction,” filed Feb. 26, 2002, herein incorporated by reference in its entirety.
As described in the above referenced application, the logical fields used in the abstract queries are defined by a data repository abstraction (DRA) component 148 of the abstract query interface 146. The abstract queries are executed by a query execution component 150 which first transforms the abstract queries into a form consistent with the physical representation of the data contained in the DBMS 154. In one embodiment, the DRA component 148 is configured with encryption information 162. For embodiments not based on the data abstraction model (or some equivalent thereof), the encryption information 162 may reside elsewhere. As will be described in more detail below, the encryption information 162 may identify fields within the databases 156 that contain sensitive information and should, therefore, be encrypted.
The query execution component 150 operates to perform various analyses and, in some embodiments, implement various security features, such as encrypting sensitive information contained within a query or results, or take other actions according the results of the analyses performed. Accordingly, the query execution component 150 is shown configured with an encryption algorithm 151 (which may be representative of a plurality of algorithms), which implements the methods described herein. In general, the security features described herein may be applied to a particular user, a group of users, or all users.
In one embodiment, elements of a query are specified by a user through a graphical user interface (GUI). The content of the GUIs is generated by the application(s) 140. In a particular embodiment, the GUI content is hypertext markup language (HTML) content which may be rendered on the client computer systems 102 with the browser program 122. Accordingly, the memory 132 includes a Hypertext Transfer Protocol (http) server process 152 (e.g., a web server) adapted to service requests from the client computer 102. For example, the server process 152 may respond to requests to access the database(s) 156, which illustratively resides on the server 104. Incoming client requests for data from a database 156 invoke an application 140. When executed by the processor 131, the application 140 causes the server 104 to perform the steps or elements embodying the various aspects of the invention, including accessing the database(s) 156. In one embodiment, the application 140 comprises a plurality of servlets configured to build GUI elements, which are then rendered by the browser program 122.
Logical/Runtime View of Environment
An illustrative abstract query corresponding to the abstract query 202 shown in FIG. 2B is shown in Table I below. By way of illustration, the abstract query 202 is defined using XML. However, any other language may be used to advantage.
TABLE I |
QUERY EXAMPLE |
001 <?xml version=“1.0”?> |
002 <!--Query string representation: Test = “Hemoglobin” AND |
Location = |
003 “Rochester”--> |
004 <QueryAbstraction> |
005 <Selection> |
006 <Condition> |
007 <Condition field=“data://Test/Type” operator=“EQ” |
value=“Hemoglobin”> |
008 <Condition relOperator=“AND” field=“data://Test/Location” |
operator=“EQ” > |
009 <Value val=“Rochester”/> |
010 </Condition> |
011 </Selection> |
012 <Results format=“HTML” blockSize=“25” distinct=“Yes” > |
013 <Field name=“data://Demographic/Patent ID” |
fieldType=“char”/> |
014 <Field name=“data://Test/Hemoglobin” fieldType=“int”/> |
015 <Field name=“data://Test/Date” fieldType=“date”/> |
016 </Results> |
017 <EntityRef name=“Patient”/> |
018 </QueryAbstraction> |
Illustratively, the abstract query shown in Table I includes a selection specification (lines 5-11) containing selection criteria and a results specification (lines 12-16). In one embodiment, a selection criterion consists of a field name (for a logical field), a comparison operator (=, >, <, etc) and a value expression (what is the field being compared to). In one embodiment, result specification is a list of abstract fields that are to be returned as a result of query execution. A result specification in the abstract query may consist of a field name and formatting options, such as sorting criteria.
The logical fields specified by the application query specification 142 and used to compose the abstract query 202 are defined by the DRA component 148. In general, the DRA component 148 exposes information as a set of logical fields that may be used within a query (e.g., the abstract query 202) issued by the application 140 (which may be in response to user input query conditions) to specify criteria for data selection and specify the form of result data returned from a query operation. The logical fields are defined independently of the underlying data representation being used in the DBMS 154, thereby allowing queries to be formed that are loosely coupled to the underlying data representation.
In general, the DRA component 148 comprises a plurality of field specifications 208 1, 208 2, 208 3, . . . (three shown by way of example), collectively referred to as the field specifications 208. Specifically, a field specification is provided for each logical field available for composition of an abstract query. In one embodiment, a field specification 208 comprises a logical field name 210 1, 210 2, 210 3 (collectively, field name 210) and an associated access method 212 1, 212 2, 212 1 (collectively, access method 212). The access methods 212 associate (i.e., map) the logical field names to a particular physical data representation 214 1, 214 2 . . . 214 N in a database (e.g., one of the databases 156). By way of illustration, two data representations are shown in FIG. 2A , an XML data representation 214 1 and a relational data representation 214 2. However, the physical data representation 214 N indicates that any other data representation, known or unknown, is contemplated.
In one embodiment, a single DRA component 148 contains field specifications (with associated access methods) for two or more physical data representations 214. In an alternative embodiment, a different single DRA component 148 is provided for each separate physical data representation 214. In yet another embodiment, multiple data repository abstraction components 148 are provided, where each DRA component 148 exposes different portions of the same underlying physical data (which may comprise one or more physical data representations 214). In this manner, a single application 140 may be used simultaneously by multiple users to access the same underlying data where the particular portions of the underlying data exposed to the application are determined by the respective DRA component 148.
Any number of access methods are contemplated depending upon the number of different types of logical fields to be supported. In one embodiment, access methods for simple fields, filtered fields and composed fields are provided. The field specifications 208 1, 208 2 and 208 3 exemplify simple field access methods 212 1, 212 2 and 212 3, respectively. Simple fields are mapped directly to a particular entity in the underlying physical data representation (e.g., a field mapped to a given database table and column). By way of illustration, the simple field access method 212 1 shown in FIG. 2B maps the logical field name 210 1 (“Test”) to a column named “test_type” in a table named “test_records.”
Filtered fields (no example shown in FIG. 2 ) identify an associated physical entity and provide rules used to define a particular subset of items within the physical data representation. An example of a filtered field is a New York ZIP code field that maps to the physical representation of ZIP codes and restricts the data only to those ZIP codes defined for the state of New York. Composed access methods (no example shown in FIG. 2 ) compute a logical field from one or more physical fields using an expression supplied as part of the access method definition. In this way, information which does not exist in the underlying data representation may be computed. An example is a sales tax field that is composed by multiplying a sales price field by a sales tax rate.
It is contemplated that the formats for any given data type (e.g., dates, decimal numbers, etc.) of the underlying data may vary. Accordingly, in one embodiment, the field specifications 208 include a type attribute which reflects the format of the underlying data. However, in another embodiment, the data format of the field specifications 208 is different from the associated underlying physical data, in which case an access method is responsible for returning data in the proper format assumed by the requesting entity. Thus, the access method must know what format of data is assumed (i.e., according to the logical field) as well as the actual format of the underlying physical data. The access method can then convert the underlying physical data into the format of the logical field.
By way of example, the field specifications 208 of the DRA component 148 shown in FIG. 2 are representative of logical fields mapped to data represented in the relational data representation 214 2. However, other instances of the DRA component 148 map logical fields to other physical data representations, such as XML.
Partial Encryption
In one embodiment, one or more of the field specifications 208 are configured with the encryption information 162 briefly described above with reference to FIGS. 1 and 2A . In the illustrated embodiment, only the field definition 208 3 (for a “Patient ID” field) has associated encryption information 162. Accordingly, it should be understood that not all field definitions need necessarily include encryption information. In the present example, the encryption information 162 is an encryption attribute 216. As illustrated, the encryption attribute 216 may be assigned a Boolean value, for example, with YES (ENABLED, TRUE, 1, etc.) indicating the corresponding logical field is sensitive and should, therefore, be encrypted. It should be understood that the encryption attribute need not be designated in the DRA component 148, but could instead be a provided in a configuration file, for example.
For some embodiments, in addition to (or in place of) a Boolean encryption attribute that indicates a field is sensitive, another security attribute, such as an integer value indicative of, for example, an authorized user group or user security level required for viewing encrypted results containing the sensitive data or query conditions involving a sensitive field. In operation, a list of user profiles 153 (a plurality of which are shown in FIG. 1 ) containing a security level (user ID, or user group) for individual users may be maintained. For some embodiments, the security level (or other type of user credentials) may be compared against this other type security attribute to determine whether queries containing a sensitive field, or query results involving the sensitive field, should be presented to the user in a viewable manner (decrypted/unencrypted).
Any type of suitable algorithm may be utilized to encrypt sensitive fields. For example, encryption algorithms based on public and private keys may be used to encrypt and decrypt, respectively, sensitive portions of database transactions. Examples of suitable encryption algorithms include, but are not limited to, RSA, DES, SHA, and MD5 algorithms. For some embodiments, the type of encryption algorithm may be specified in the DRA component 148, rather than utilizing a “hard coded” algorithm agreed upon by the server and requesting client. Thus, different algorithms may be specified in the DRA component 148 (e.g. as part of encryption information 162), which may enhance security, for example, further decreasing the likelihood an unauthorized viewer will be able to decrypt the sensitive portions.
As illustrated in FIG. 2C , based on the encryption information 162 (e.g., encryption attribute 216 for a logical field), query results 220 returned by the query execution component 150 may contain both viewable results 222 and encrypted results 224. Table II shows illustrative return results for the example query 202 shown in FIG. 2B . By way of illustration, the results include two rows of data (lines 2-13 and lines 14-25) and the return results are shown in XML. However, any other language may be used to advantage.
TABLE II |
DATA REPOSITORY ABSTRACTION EXAMPLE |
001 <data> | ||
002 <row> | ||
003 <col> | ||
004 <EncryptedData xmlns=“http://www.w3.org/2001/04/- | ||
xmlenc#”> | ||
005 <CipherData> | ||
006 <CipherValue>BNjivf7gTOhHmcfZIX8XJSxHJ7- | ||
dlZudnZBrg = | ||
007 </CipherValue> | ||
008 </CipherData> | ||
009 </Encrypted Data> | ||
010 </col> | ||
011 <col>9</col> | ||
012 <col>10/12/2002</col> | ||
013 </row> | ||
014 <row> | ||
015 <col> | ||
016 <EncryptedData xmlns=“http://www.w3.org/2001/04/- | ||
xmlenc#”> | ||
017 <CipherData> | ||
018 <CipherValue>BNjivf7gTOhHmcfZIX8XJSxHJ7- | ||
dlZudnZBrg= | ||
019 </CipherValue> | ||
020 </CipherData> | ||
021 </Encrypted Data> | ||
022 </col> | ||
023 <col>10</col> | ||
024 <col>12/04/2002</col> | ||
025 </row> | ||
026 </data> | ||
As indicated by the encryption attribute 216 shown in FIG. 2B , the Patient ID field is sensitive and is, therefore, encrypted, as shown in lines 4-9 and lines 15-20. The other logical fields in the return results (test results in lines 11 and 23, date of test in lines 12 and 24) are returned unencrypted. Accordingly, even if the illustrated return results were intercepted, for example, by an unauthorized eavesdropper, the Patient ID would not be obtained and the remaining results would have no context and, therefore, little value outside statistical research. As will be described below, depending on the application, when the return results 220 are received by the requesting entity (e.g., the application 140 or the client browser program 122 shown in FIG. 1 ) the encrypted results may be decrypted and presented to the user in viewable form, may remain encrypted with an indication to the user that the results are encrypted, or may not be displayed to the user at all. Further, as will be described in greater detail below, in order to facilitate manipulation of query results (e.g., sorting, building related queries, etc.), encrypted results may be decrypted and stored as temporary results 230.
Exemplary Operations for Secure Database Transactions
For some embodiments, query conditions involving sensitive fields may also be encrypted, which may prevent sensitive information from being transmitted as text on wire. As previously described, even if sensitive information is encrypted in query results, the sensitive information may be provided by the query. As an example, a user may create a query to return certain test results (for example, the query may have the condition “PatientID=123456”). While a test results field may not be identified as a sensitive field, an unauthorized user that gains access to the query may readily identify the patient and may easily correlate the results of the query to the patient. Encrypting query conditions involving sensitive fields prevent this situation.
At step 306, a loop of operations (308-312) is performed for each condition in the query, for example, in preparation for issuing the query. At step 308, encryption attributes (e.g., encryption attributes 216) are retrieved for each field involved in the query condition. At step 310, a determination is made, based on the retrieved encryption attributes, as to whether any of the fields involved in the condition are sensitive fields. For example, if the encryption attributes is a Boolean variable, the determination may entail simply testing to see if encryption is enabled for the corresponding field.
If it is determined that any of the fields involved in the condition are sensitive, the condition is encrypted, at step 312, otherwise the condition is not encrypted. In either case, processing proceeds to step 306 to select the next condition (if any). As illustrated, once the loop of operations 308-312 have been performed for each condition in the query, the query is issued. For example, the query may be transmitted from the client 102 to the server 104 over the network 126.
If it is determined that the condition is encrypted, the condition is decrypted at step 326. Well known techniques may be used to enable the server 104 to decrypt the conditions. For example, the client 102 and server 104 may exchange a common set of encryption keys for use in the encrypting/decrypting of data. Processing then proceeds to step 324 to select the next condition (if any). Once each encrypted condition has been decrypted, processing proceeds to step 328 to issue the query (e.g., against the DBMS 154). As previously described, for an abstract data model illustrated, the query execution runtime component 150 may first convert the query from an abstract form into a concrete form compatible with the specific underlying physical representation 214.
In any case, at step 330, results from issuing the query are received and, at step 332, a loop of operations (334-336) are performed to determine if any of the results fields are sensitive. At step 334, a determination is made as to whether the field is secured, for example, by accessing the encryption attribute for the field stored in the DRA component 148. If it is determined that the field is sensitive, the field is encrypted, at step 336, otherwise, the field is not encrypted. In either case, processing proceeds to step 332 to select the next field. Once the operations 334-336 have been performed for each field, the results are returned to the requesting entity, at step 338. For example, as illustrated in FIG. 2C , results 220 including both viewable (non-encrypted) results 222 and encrypted results 224 may be forwarded to the server application 140 to be sent to the client 102 over the network 126.
Therefore, at step 346, a user profile (e.g., one of the user profiles 153 illustrated in FIG. 1 containing user credentials) is obtained. At step 348, a loop of operations (350-354) is performed for each results field, to determine if the user is authorized to view the results. At step 350, encryption attributes for the field are retrieved. As previously described, the encryption attributes for the field may include, not only whether the field is sensitive, but a security level required to view the results (an authorized user group, etc.). At step 352, a determination is made, based on the encryption attributes and the user profile, as to whether the user is authorized to view the results for the field.
For example, if the encryption attributes indicate the field is not sensitive, the results are not encrypted anyway and, therefore, may be displayed without regard to the user profile. On the other hand, if the field is sensitive (i.e., the results are encrypted), a security level or user group contained in the user profile may be compared against a corresponding encryption attribute to determine if the user is authorized to view the encrypted data. If it is determined the user is authorized to view the results for the field, the results are (decrypted and) displayed, at step 354. As will be described in greater detail below, if the user is not authorized, the remaining (unencrypted or decrypted) results may still be displayed to the user, along with an indication that one or more of the results fields is encrypted and, therefore, not displayed to the user. As an alternative, encrypted fields the user is not authorized to view may be simply be removed from the results set (or not displayed). Regardless, once the operations 350-354 have been performed for all the results fields, the operations 340 are exited at step 360.
Exemplary User Interface
For some embodiments, indication may be provided to a user building a query that one or more fields involved in the query are sensitive and will, therefore, be encrypted. For example, 4A illustrates an exemplary graphical user interface (GUI) screen that may be used to generate queries. As shown, the GUI screen 400 may allow the user to add query conditions and results conditions. In the illustrated query being built, an indication is provided that Patient ID, shown in the results field will be encrypted in the query results.
As previously described, for some embodiments, security may be user or group based and whether a field is displayed to a particular user may be determined by the user's security level (or other credential, such as a user group). As an example of user-based security, a first user (assigned a first security level) may be not be able to view patient IDs in their queries, while a second user (assigned a second security level) may be able to view patient IDs (unencrypted). For example, the patient IDs may be encrypted with the second user's public key such that the second user could decrypt them for viewing.
In some situations, a user's security level may change, allowing them to view encrypted data they were previously unauthorized to view. For example, a researcher looking at data to determine if there is enough data to support a theory may be prohibited from viewing patient IDs, which may not be necessary for the collection of data. However, upon realizing the data may support additional findings, the researcher may request (e.g., of an administrative board) authorization to see Patient IDs in order to identify potential research candidates. Rather than re-run the queries and generate new results, the Patient IDs encrypted in the query results may be decrypted for viewing by the user.
An example of this scenario is illustrated in FIGS. 4B and 4C . In FIG. 4B , the user (“Researcher 1”) has a Security Level of 2, which is not adequate to provide authorization to view Patient IDs. In FIG. 4C , however, the user's Security Level has been changed to a Security Level of 1 (a higher security level in this example) which provides sufficient authorization to view the Patient IDs. Accordingly, the Patient IDs, while hidden from the user in FIG. 4B , are displayed to the user in FIG. 4C .
As previously described, for some embodiments, in order to facilitate manipulation of query results, encrypted (sensitive) results fields may be decrypted and stored as temporary results (e.g., temporary results 230 of FIG. 2C ). A number of advantages may be gained by storing (completely decrypted) temporary results. For example, if the user's security level changes, as described above, the decrypted results may be readily retrieved from the temporary results.
Another advantage in using temporary results is that the user may build additional queries, based on query results, even though the results are hidden from the user (i.e., the user is not authorized to view the results). As a result, the user may be able to perform complex research, “drilling down” to details related to specific results even without viewing sensitive portions of the results. As an example, a medical researcher may collect a list of patients, for example, with a common disease. While the patient IDs may be hidden from the researcher, the researcher may still be able to build a query based on a patient ID, to gain additional details regarding a particular patient.
For example, the researcher may wish to collect a complete list of tests that a patient has previously had performed (e.g., results from an initial query may have indicated a condition that may be verified by additional tests). An example of this scenario is illustrated in FIG. 4B and FIG. 4D . As illustrated in FIG. 4B , a user may be given the option to retrieve a full list of tests performed for a patient whose ID is hidden from the user. If the user exercises this option, as illustrated in FIG. 4D , the user may be provided with the GUI screen 400 already containing the necessary query conditions (based on the hidden field) to return the list of tests. As shown, while the field (Patient ID) may be shown, the conditional information (e.g., Patient ID=123456) is not shown. Thus, the user may know the nature of the query, but not the specific values involved. Of course, while this example is specific to medical research, similar functionality may be provided for other application environments (e.g., a criminal investigator may be allowed to “Retrieve all prior convictions” of a convicted felon without knowing the actual identity of the felon).
Allowing a user to generate and/or issue queries based on sensitive encrypted fields the user is not authorized to view may also be advantageous in various other situations. For example, for some embodiments, in an effort to facilitate the query building process, queries created by one user may be saved for later reuse by another user. By allowing queries to be built without displaying sensitive fields to unauthorized users, queries built by a first user having a first (higher) security level may be reused by a second user having a second (lower) security level. Examples of query reuse are described in the commonly assigned application Ser. No. 10/264,188, entitled “SQL Query Construction Using Durable Query Components,” filed Oct. 3, 2002, herein incorporated by reference in its entirety.
By partial encryption of database transactions, data that is not sensitive may be transmitted freely across a network, without encryption, thus reducing or eliminating wasteful processing overhead. For some embodiments, database fields containing sensitive information may be identified in a document that may be accessed by a database server and requesting client. The requesting client may access the document to identify sensitive fields that may be encrypted in a query to prevent unauthorized users from extracting information from the query (e.g., correlating the query results to a particular condition). The database server may first access the document to identify fields in a received query that are encrypted and, therefore, need to be decrypted to issue the query against the database. Further, after issuing the query, the database server may access the document to identify sensitive fields in the query results. Only fields in the query results identified as sensitive may be encrypted prior to returning the results. Thus, partial encryption of query results may be particularly advantageous when large amounts (e.g., thousands of rows) of data are returned in a single query, with only a small fraction of the data being sensitive.
While the foregoing is directed to embodiments of the present invention, other and further embodiments of the invention may be devised without departing from the basic scope thereof, and the scope thereof is determined by the claims that follow.
Claims (11)
1. A method for generating a secure document for use in a transaction with respect to a database, the method comprising:
providing a first document including security attributes for one or more database fields, each security attribute identifying whether a corresponding database field is sensitive;
prior to issuing a query against the database, determining whether any condition is encrypted, and decrypting any condition upon determining that the condition is encrypted;
issuing the query against the database; and
generating a second document based on the one or more database fields by operation of one or more computer processors, wherein the second document comprises results of the query, and wherein one or more portions of the second document involving database fields identified as sensitive in the first document are encrypted.
2. The method of claim 1 , wherein at least one of the first document and the second document is an XML document.
3. The method of claim 1 , wherein both the first document and the second document are XML documents.
4. The method of claim 1 , wherein at least one of the first document and the second document comprises a relational data representation.
5. The method of claim 1 , wherein both the first document and the second document comprise a relational data representation.
6. A method for securing information for use in a transaction with respect to a database within a server, the method comprising:
providing a document including security attributes for one or more database fields, each security attribute identifying whether a corresponding database field is sensitive;
receiving a query including references to the one or more database fields;
processing the query based on the one or more database fields by operation of one or more computer processors, wherein one or more conditions of the query involving database fields identified as sensitive in the document are encrypted, while one or more conditions of the query involving database fields not identified as sensitive in the document are left unencrypted;
sending the query to the server; and
processing the query such that any encrypted condition in the query is decrypted prior to issuing the query against the database.
7. The method of claim 6 , wherein the document is an XML document.
8. The method of claim 6 , wherein the document comprises a relational data representation.
9. The method of claim 6 , further comprising providing a data abstraction model comprising logical field definitions for each of the plurality of database fields, wherein each logical field definition includes a field name, location information for a corresponding value in a physical database, and a reference to an access method invoked to access the corresponding value using the location information.
10. The method of claim 9 , wherein the access method is selected from at least two different access method types.
11. A method for securing information for use in a transaction with respect to a database within a server, the method comprising:
providing a document including security attributes for one or more database fields, each security attribute identifying whether a corresponding database field is sensitive;
receiving a query including references to the one or more database fields;
processing the query based on the one or more database fields by operation of one or more computer processors, wherein one or more conditions of the query involving database fields identified as sensitive in the document are encrypted, while one or more conditions of the query involving database fields not identified as sensitive in the document are left unencrypted;
sending the query to the server;
processing the query such that any encrypted condition in the query is decrypted prior to issuing the query against the database;
issuing the query against the database; and
selectively encrypting a portion of query results corresponding to database fields identified as sensitive in the document, and leaving a remaining portion of query results unencrypted.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/036,076 US8001389B2 (en) | 2003-03-13 | 2008-02-22 | Secure database access through partial encryption |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/388,074 US7418600B2 (en) | 2003-03-13 | 2003-03-13 | Secure database access through partial encryption |
US12/036,076 US8001389B2 (en) | 2003-03-13 | 2008-02-22 | Secure database access through partial encryption |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/388,074 Division US7418600B2 (en) | 2003-03-13 | 2003-03-13 | Secure database access through partial encryption |
Publications (2)
Publication Number | Publication Date |
---|---|
US20080148070A1 US20080148070A1 (en) | 2008-06-19 |
US8001389B2 true US8001389B2 (en) | 2011-08-16 |
Family
ID=32962047
Family Applications (4)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/388,074 Active 2025-06-03 US7418600B2 (en) | 2003-03-13 | 2003-03-13 | Secure database access through partial encryption |
US12/036,116 Expired - Lifetime US8032765B2 (en) | 2003-03-13 | 2008-02-22 | Secure database access through partial encryption |
US12/036,076 Expired - Lifetime US8001389B2 (en) | 2003-03-13 | 2008-02-22 | Secure database access through partial encryption |
US12/198,743 Expired - Lifetime US7992010B2 (en) | 2003-03-13 | 2008-08-26 | Secure database access through partial encryption |
Family Applications Before (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/388,074 Active 2025-06-03 US7418600B2 (en) | 2003-03-13 | 2003-03-13 | Secure database access through partial encryption |
US12/036,116 Expired - Lifetime US8032765B2 (en) | 2003-03-13 | 2008-02-22 | Secure database access through partial encryption |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/198,743 Expired - Lifetime US7992010B2 (en) | 2003-03-13 | 2008-08-26 | Secure database access through partial encryption |
Country Status (3)
Country | Link |
---|---|
US (4) | US7418600B2 (en) |
TW (1) | TW200500894A (en) |
WO (1) | WO2004081816A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130246813A1 (en) * | 2011-11-11 | 2013-09-19 | Nec Corporation | Database encryption system, method, and program |
US12124425B2 (en) | 2022-09-30 | 2024-10-22 | Capital One Services, Llc | Stream-based database alteration architecture and methods for managing databases |
Families Citing this family (135)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8849716B1 (en) * | 2001-04-20 | 2014-09-30 | Jpmorgan Chase Bank, N.A. | System and method for preventing identity theft or misuse by restricting access |
US7418600B2 (en) * | 2003-03-13 | 2008-08-26 | International Business Machines Corporation | Secure database access through partial encryption |
US7500111B2 (en) * | 2003-05-30 | 2009-03-03 | International Business Machines Corporation | Querying encrypted data in a relational database system |
US7685437B2 (en) * | 2003-05-30 | 2010-03-23 | International Business Machines Corporation | Query optimization in encrypted database systems |
US8200775B2 (en) | 2005-02-01 | 2012-06-12 | Newsilike Media Group, Inc | Enhanced syndication |
US20050055266A1 (en) * | 2003-09-05 | 2005-03-10 | Pitney Bowes Incorporated | Method and system for generating information about relationships between an enterprise and other parties and sharing such information among users in the enterprise |
EP1562099A1 (en) * | 2004-02-09 | 2005-08-10 | SAP Aktiengesellschaft | Method and computer system for document encryption |
US7822984B2 (en) * | 2004-09-27 | 2010-10-26 | International Business Machines Corporation | Portal system, method and program, and associated user computer and content supplier |
EP1641214B1 (en) * | 2004-09-27 | 2013-04-10 | International Business Machines Corporation | End-to-end secure data transmission system through a third party infrastructure |
US7653615B2 (en) * | 2005-01-18 | 2010-01-26 | Microsoft Corporation | Preserving privacy when statistically analyzing a large database |
US8200700B2 (en) | 2005-02-01 | 2012-06-12 | Newsilike Media Group, Inc | Systems and methods for use of structured and unstructured distributed data |
US20070050446A1 (en) | 2005-02-01 | 2007-03-01 | Moore James F | Managing network-accessible resources |
US8347088B2 (en) * | 2005-02-01 | 2013-01-01 | Newsilike Media Group, Inc | Security systems and methods for use with structured and unstructured data |
US9202084B2 (en) * | 2006-02-01 | 2015-12-01 | Newsilike Media Group, Inc. | Security facility for maintaining health care data pools |
US8140482B2 (en) | 2007-09-19 | 2012-03-20 | Moore James F | Using RSS archives |
US8700738B2 (en) | 2005-02-01 | 2014-04-15 | Newsilike Media Group, Inc. | Dynamic feed generation |
US20060206585A1 (en) * | 2005-03-07 | 2006-09-14 | Nextwave Media Group, Llc | System and method for publishing targeted copy in a previously opened document independent of a user-initiated submission |
US10176338B2 (en) | 2005-11-23 | 2019-01-08 | Salesforce.Com | Secure distributed storage of documents containing restricted information, via the use of keysets |
US10127130B2 (en) | 2005-03-18 | 2018-11-13 | Salesforce.Com | Identifying contributors that explain differences between a data set and a subset of the data set |
US20110209053A1 (en) * | 2005-11-23 | 2011-08-25 | Beyondcore, Inc. | Shuffling Documents Containing Restricted Information |
GB2426359A (en) * | 2005-05-18 | 2006-11-22 | Vodafone Plc | Authenticated searching of data |
US8577684B2 (en) | 2005-07-13 | 2013-11-05 | Intellisist, Inc. | Selective security masking within recorded speech utilizing speech recognition techniques |
US8095774B1 (en) | 2007-07-05 | 2012-01-10 | Silver Peak Systems, Inc. | Pre-fetching data into a memory |
US8171238B1 (en) | 2007-07-05 | 2012-05-01 | Silver Peak Systems, Inc. | Identification of data stored in memory |
US8392684B2 (en) | 2005-08-12 | 2013-03-05 | Silver Peak Systems, Inc. | Data encryption in a network memory architecture for providing data based on local accessibility |
US7599934B2 (en) * | 2005-09-27 | 2009-10-06 | Microsoft Corporation | Server side filtering and sorting with field level security |
US8489562B1 (en) | 2007-11-30 | 2013-07-16 | Silver Peak Systems, Inc. | Deferred data storage |
US8929402B1 (en) | 2005-09-29 | 2015-01-06 | Silver Peak Systems, Inc. | Systems and methods for compressing packet data by predicting subsequent data |
US8811431B2 (en) | 2008-11-20 | 2014-08-19 | Silver Peak Systems, Inc. | Systems and methods for compressing packet data |
US20070074038A1 (en) * | 2005-09-29 | 2007-03-29 | International Business Machines Corporation | Method, apparatus and program storage device for providing a secure password manager |
US20070079117A1 (en) * | 2005-10-04 | 2007-04-05 | Bhogal Kulvir S | Method for passing selectively encrypted attributes of specific versions of objects in a distributed system |
US7921304B2 (en) * | 2005-12-06 | 2011-04-05 | Microsoft Corporation | Securing data set images |
US7711723B2 (en) * | 2006-04-20 | 2010-05-04 | International Business Machines Corporation | System and method for managing web applications |
US20080005024A1 (en) * | 2006-05-17 | 2008-01-03 | Carter Kirkwood | Document authentication system |
US8433915B2 (en) | 2006-06-28 | 2013-04-30 | Intellisist, Inc. | Selective security masking within recorded speech |
US20080016047A1 (en) * | 2006-07-12 | 2008-01-17 | Dettinger Richard D | System and method for creating and populating dynamic, just in time, database tables |
US8755381B2 (en) | 2006-08-02 | 2014-06-17 | Silver Peak Systems, Inc. | Data matching using flow based packet data storage |
US8885632B2 (en) | 2006-08-02 | 2014-11-11 | Silver Peak Systems, Inc. | Communications scheduler |
US7904732B2 (en) * | 2006-09-27 | 2011-03-08 | Rocket Software, Inc. | Encrypting and decrypting database records |
IL180020A (en) * | 2006-12-12 | 2013-03-24 | Waterfall Security Solutions Ltd | Encryption -and decryption-enabled interfaces |
US8958562B2 (en) * | 2007-01-16 | 2015-02-17 | Voltage Security, Inc. | Format-preserving cryptographic systems |
IL180748A (en) | 2007-01-16 | 2013-03-24 | Waterfall Security Solutions Ltd | Secure archive |
US20080208579A1 (en) * | 2007-02-27 | 2008-08-28 | Verint Systems Ltd. | Session recording and playback with selective information masking |
JP5122333B2 (en) * | 2007-03-05 | 2013-01-16 | 株式会社タニタ | Biometric data storage and provision system for health management |
US20080221882A1 (en) * | 2007-03-06 | 2008-09-11 | Bundock Donald S | System for excluding unwanted data from a voice recording |
US20080288509A1 (en) * | 2007-05-16 | 2008-11-20 | Google Inc. | Duplicate content search |
US20090150169A1 (en) * | 2007-05-17 | 2009-06-11 | Unlimited Cad Services, Llc | Document acquisition and authentication system |
US8826384B2 (en) * | 2007-07-13 | 2014-09-02 | L-3 Communications Corporation | Assent to conditions for network access |
US8204906B2 (en) * | 2007-07-13 | 2012-06-19 | International Business Machines Corporation | Abstraction based audit and security log model for increased role and security enforcement |
IL187492A0 (en) * | 2007-09-06 | 2008-02-09 | Human Interface Security Ltd | Information protection device |
US8244761B1 (en) | 2007-10-18 | 2012-08-14 | United Services Automobile Association (Usaa) | Systems and methods for restricting access to internal data of an organization by external entity |
US8307115B1 (en) | 2007-11-30 | 2012-11-06 | Silver Peak Systems, Inc. | Network memory mirroring |
US8819040B2 (en) * | 2007-12-07 | 2014-08-26 | Roche Diagnostics Operations, Inc. | Method and system for querying a database |
US9330149B2 (en) * | 2007-12-18 | 2016-05-03 | Oracle International Corporation | Techniques for query and DML over relational tables using spreadsheet applications |
US7958105B2 (en) * | 2008-03-07 | 2011-06-07 | International Business Machines Corporation | System and method for filtering database results using dynamic composite queries |
KR101573328B1 (en) | 2008-04-21 | 2015-12-01 | 삼성전자주식회사 | Home network control apparatus and method to obtain encrypted control information |
US8356345B2 (en) * | 2008-06-03 | 2013-01-15 | International Business Machines Corporation | Constructing a secure internet transaction |
US9569763B2 (en) * | 2008-06-20 | 2017-02-14 | Datalogic Usa, Inc. | Information gathering and decoding apparatus and method of use |
US10805840B2 (en) | 2008-07-03 | 2020-10-13 | Silver Peak Systems, Inc. | Data transmission via a virtual wide area network overlay |
US9717021B2 (en) | 2008-07-03 | 2017-07-25 | Silver Peak Systems, Inc. | Virtual network overlay |
US10164861B2 (en) | 2015-12-28 | 2018-12-25 | Silver Peak Systems, Inc. | Dynamic monitoring and visualization for network health characteristics |
US8743683B1 (en) | 2008-07-03 | 2014-06-03 | Silver Peak Systems, Inc. | Quality of service using multiple flows |
US8244531B2 (en) * | 2008-09-28 | 2012-08-14 | Avaya Inc. | Method of retaining a media stream without its private audio content |
US8386807B2 (en) * | 2008-09-30 | 2013-02-26 | Intel Corporation | Power management for processing unit |
US8316228B2 (en) * | 2008-12-17 | 2012-11-20 | L-3 Communications Corporation | Trusted bypass for secure communication |
US8423512B2 (en) * | 2009-09-08 | 2013-04-16 | Oracle International Corporation | Leveraging XML capabilities of a database to enhance handling of document data |
US8468345B2 (en) | 2009-11-16 | 2013-06-18 | Microsoft Corporation | Containerless data for trustworthy computing and data services |
AU2009243486B2 (en) * | 2009-12-02 | 2012-12-13 | Canon Kabushiki Kaisha | Processing captured images having geolocations |
US9537650B2 (en) | 2009-12-15 | 2017-01-03 | Microsoft Technology Licensing, Llc | Verifiable trust for data through wrapper composition |
US10348693B2 (en) * | 2009-12-15 | 2019-07-09 | Microsoft Technology Licensing, Llc | Trustworthy extensible markup language for trustworthy computing and data services |
EP2348452B1 (en) | 2009-12-18 | 2014-07-02 | CompuGroup Medical AG | A computer implemented method for sending a message to a recipient user, receiving a message by a recipient user, a computer readable storage medium and a computer system |
EP2348447B1 (en) | 2009-12-18 | 2014-07-16 | CompuGroup Medical AG | A computer implemented method for generating a set of identifiers from a private key, computer implemented method and computing device |
EP2348450B1 (en) | 2009-12-18 | 2013-11-06 | CompuGroup Medical AG | Database system, computer system, and computer-readable storage medium for decrypting a data record |
US8910288B2 (en) * | 2010-02-05 | 2014-12-09 | Leidos, Inc | Network managed antivirus appliance |
EP2365456B1 (en) | 2010-03-11 | 2016-07-20 | CompuGroup Medical SE | Data structure, method and system for predicting medical conditions |
US7921125B1 (en) * | 2010-07-20 | 2011-04-05 | Numoda Technologies, Inc. | Virtual data room with access to clinical trial status reports based on real-time clinical trial data |
KR101820933B1 (en) * | 2011-08-10 | 2018-01-23 | 주식회사 케이티 | Terminal and method of recording event threrof |
US9130991B2 (en) | 2011-10-14 | 2015-09-08 | Silver Peak Systems, Inc. | Processing data packets in performance enhancing proxy (PEP) environment |
US9626224B2 (en) | 2011-11-03 | 2017-04-18 | Silver Peak Systems, Inc. | Optimizing available computing resources within a virtual environment |
US10802687B2 (en) | 2011-12-04 | 2020-10-13 | Salesforce.Com, Inc. | Displaying differences between different data sets of a process |
US10796232B2 (en) | 2011-12-04 | 2020-10-06 | Salesforce.Com, Inc. | Explaining differences between predicted outcomes and actual outcomes of a process |
US9811837B2 (en) | 2012-06-29 | 2017-11-07 | Mastercard International Incorporated | System and method for setting a product watch on transaction data |
US9934511B2 (en) | 2012-06-29 | 2018-04-03 | Mastercard International Incorporated | System and method for determining merchant location and availability using transaction data |
US9449178B2 (en) * | 2012-07-24 | 2016-09-20 | ID Insight | System, method and computer product for fast and secure data searching |
US9785945B2 (en) | 2012-08-01 | 2017-10-10 | Mastercard International Incorporated | System and method for preventing multiple refunds and chargebacks |
US10332088B2 (en) | 2012-08-01 | 2019-06-25 | Mastercard International Incorporated | System and method for setting a hot product alert on transaction data |
KR102038963B1 (en) * | 2012-10-05 | 2019-10-31 | 삼성전자주식회사 | Method and Apparatus for Selectively Providing Protection of Screen information data |
US9818152B2 (en) | 2012-10-18 | 2017-11-14 | Mastercard International Incorporated | System and method for allowing forward-sold goods purchased via credit/debit card to be resold |
EP2731040B1 (en) * | 2012-11-08 | 2017-04-19 | CompuGroup Medical SE | Computer system for storing and retrieval of encrypted data items, client computer, computer program product and computer-implemented method |
US9819798B2 (en) | 2013-03-14 | 2017-11-14 | Intellisist, Inc. | Computer-implemented system and method for efficiently facilitating appointments within a call center via an automatic call distributor |
JP5954742B2 (en) * | 2013-07-23 | 2016-07-20 | インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation | Apparatus and method for retrieving documents |
JP2015090993A (en) * | 2013-11-05 | 2015-05-11 | エヌ・ティ・ティ・ソフトウェア株式会社 | Encryption control device, encryption control method and program |
US9350714B2 (en) * | 2013-11-19 | 2016-05-24 | Globalfoundries Inc. | Data encryption at the client and server level |
US9584492B2 (en) * | 2014-06-23 | 2017-02-28 | Vmware, Inc. | Cryptographic proxy service |
US9948496B1 (en) | 2014-07-30 | 2018-04-17 | Silver Peak Systems, Inc. | Determining a transit appliance for data traffic to a software service |
US9875344B1 (en) | 2014-09-05 | 2018-01-23 | Silver Peak Systems, Inc. | Dynamic monitoring and authorization of an optimization device |
IL235175A (en) | 2014-10-19 | 2017-08-31 | Frenkel Lior | Secure remote desktop |
US10223542B2 (en) | 2014-12-10 | 2019-03-05 | International Business Machines Corporation | Intelligent database with secure tables |
GB2545818B (en) * | 2015-02-11 | 2017-11-22 | J2 Global Ip Ltd | Access permissions for sensitive information |
US9860063B2 (en) | 2015-02-27 | 2018-01-02 | Microsoft Technology Licensing, Llc | Code analysis tool for recommending encryption of data without affecting program semantics |
WO2016160851A1 (en) * | 2015-03-30 | 2016-10-06 | Zoll Medical Corporation | Customer-or patient-based selective data encryption in medical device management |
US9953184B2 (en) | 2015-04-17 | 2018-04-24 | Microsoft Technology Licensing, Llc | Customized trusted computer for secure data processing and storage |
US10320761B2 (en) * | 2015-11-02 | 2019-06-11 | Servicenow, Inc. | Selective encryption configuration |
US9858426B2 (en) * | 2015-11-03 | 2018-01-02 | Palo Alto Research Center Incorporated | Computer-implemented system and method for automatically identifying attributes for anonymization |
TWI554908B (en) * | 2015-11-03 | 2016-10-21 | 澧達科技股份有限公司 | Data Encryption System |
CN106874781A (en) * | 2015-12-11 | 2017-06-20 | 阿里巴巴集团控股有限公司 | A kind of tables of data encryption method and server |
US10419401B2 (en) * | 2016-01-08 | 2019-09-17 | Capital One Services, Llc | Methods and systems for securing data in the public cloud |
IL250010B (en) | 2016-02-14 | 2020-04-30 | Waterfall Security Solutions Ltd | Secure connection with protected facilities |
GB201603302D0 (en) * | 2016-02-25 | 2016-04-13 | Grey Technology Ltd | Dirt-collection chamber for a vacuum cleaner |
US10210266B2 (en) | 2016-05-25 | 2019-02-19 | Microsoft Technology Licensing, Llc | Database query processing on encrypted data |
US10432484B2 (en) | 2016-06-13 | 2019-10-01 | Silver Peak Systems, Inc. | Aggregating select network traffic statistics |
US10754978B2 (en) | 2016-07-29 | 2020-08-25 | Intellisist Inc. | Computer-implemented system and method for storing and retrieving sensitive information |
US9967056B1 (en) | 2016-08-19 | 2018-05-08 | Silver Peak Systems, Inc. | Forward packet recovery with constrained overhead |
EP3920040A1 (en) | 2016-12-23 | 2021-12-08 | CompuGroup Medical SE & Co. KGaA | Offline preparation for bulk inserts |
US10257082B2 (en) | 2017-02-06 | 2019-04-09 | Silver Peak Systems, Inc. | Multi-level learning for classifying traffic flows |
US10892978B2 (en) | 2017-02-06 | 2021-01-12 | Silver Peak Systems, Inc. | Multi-level learning for classifying traffic flows from first packet data |
US10771394B2 (en) | 2017-02-06 | 2020-09-08 | Silver Peak Systems, Inc. | Multi-level learning for classifying traffic flows on a first packet from DNS data |
US11044202B2 (en) | 2017-02-06 | 2021-06-22 | Silver Peak Systems, Inc. | Multi-level learning for predicting and classifying traffic flows from first packet data |
US11947978B2 (en) | 2017-02-23 | 2024-04-02 | Ab Initio Technology Llc | Dynamic execution of parameterized applications for the processing of keyed network data streams |
US10831509B2 (en) | 2017-02-23 | 2020-11-10 | Ab Initio Technology Llc | Dynamic execution of parameterized applications for the processing of keyed network data streams |
WO2018170276A2 (en) * | 2017-03-15 | 2018-09-20 | Fauna, Inc. | Methods and systems for a database |
US11593798B2 (en) * | 2017-08-02 | 2023-02-28 | Wepay, Inc. | Systems and methods for instant merchant activation for secured in-person payments at point of sale |
US11212210B2 (en) | 2017-09-21 | 2021-12-28 | Silver Peak Systems, Inc. | Selective route exporting using source type |
US10749674B2 (en) | 2017-09-29 | 2020-08-18 | Micro Focus Llc | Format preserving encryption utilizing a key version |
US11263341B1 (en) * | 2017-10-11 | 2022-03-01 | Snap Inc. | Identifying personally identifiable information within an unstructured data store |
US10637721B2 (en) | 2018-03-12 | 2020-04-28 | Silver Peak Systems, Inc. | Detecting path break conditions while minimizing network overhead |
US10250574B1 (en) * | 2018-08-08 | 2019-04-02 | Capital One Services, Llc | Systems and methods for encoded communications |
US11475145B2 (en) * | 2018-12-14 | 2022-10-18 | Intel Corporation | Methods and apparatus for implementing a secure database using programmable integrated circuits with dynamic partial reconfigurability |
CN110457945B (en) * | 2019-08-01 | 2021-03-02 | 卫盈联信息技术(深圳)有限公司 | List query method, query party device, service party device and storage medium |
CN111783140B (en) * | 2020-07-02 | 2024-08-23 | 奇安信科技集团股份有限公司 | Request response method and device, electronic equipment and computer readable storage medium |
CN112037004A (en) * | 2020-07-14 | 2020-12-04 | 北京文思海辉金信软件有限公司 | Business processing result presentation method and device, computer equipment and storage medium |
CN112995138B (en) * | 2021-02-03 | 2022-12-27 | 上海钧正网络科技有限公司 | Data communication method and device, electronic equipment and readable storage medium |
CN112906048B (en) * | 2021-02-09 | 2023-01-03 | 上海凯馨信息科技有限公司 | Secret state data access protection method for db2 data |
US20220405420A1 (en) * | 2021-06-21 | 2022-12-22 | International Business Machines Corporation | Privacy preserving data storage |
CN114978646B (en) * | 2022-05-13 | 2024-09-20 | 京东科技控股股份有限公司 | Access right determining method, device, equipment and storage medium |
Citations (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5734887A (en) | 1995-09-29 | 1998-03-31 | International Business Machines Corporation | Method and apparatus for logical data access to a physical relational database |
US5956400A (en) | 1996-07-19 | 1999-09-21 | Digicash Incorporated | Partitioned information storage systems with controlled retrieval |
EP0990972A1 (en) | 1998-10-02 | 2000-04-05 | Ncr International Inc. | System and method for managing data privacy in a database management system |
EP1193588A2 (en) | 2000-09-29 | 2002-04-03 | Ncr International Inc. | Method and apparatus for protecting data retrieved from a database |
US20020078068A1 (en) | 2000-09-07 | 2002-06-20 | Muralidhar Krishnaprasad | Method and apparatus for flexible storage and uniform manipulation of XML data in a relational database system |
US20020104002A1 (en) | 2001-01-26 | 2002-08-01 | Itaru Nishizawa | Database access method and system capable of concealing the contents of query |
US20020157023A1 (en) | 2001-03-29 | 2002-10-24 | Callahan John R. | Layering enterprise application services using semantic firewalls |
WO2003014888A1 (en) | 2001-08-07 | 2003-02-20 | Centre National De La Recherche Scientifique - Cnrs - | Method for making databases secure |
US6553368B2 (en) | 1998-03-03 | 2003-04-22 | Sun Microsystems, Inc. | Network directory access mechanism |
US6725227B1 (en) | 1998-10-02 | 2004-04-20 | Nec Corporation | Advanced web bookmark database system |
US6785810B1 (en) | 1999-08-31 | 2004-08-31 | Espoc, Inc. | System and method for providing secure transmission, search, and storage of data |
US20040181679A1 (en) | 2003-03-13 | 2004-09-16 | International Business Machines Corporation | Secure database access through partial encryption |
US6928431B2 (en) | 2002-04-25 | 2005-08-09 | International Business Machines Corporation | Dynamic end user specific customization of an application's physical data layer through a data repository abstraction layer |
US6954748B2 (en) | 2002-04-25 | 2005-10-11 | International Business Machines Corporation | Remote data access and integration of distributed data sources through data schema and query abstraction |
US6996558B2 (en) | 2002-02-26 | 2006-02-07 | International Business Machines Corporation | Application portability and extensibility through database schema and query abstraction |
US7096229B2 (en) | 2002-05-23 | 2006-08-22 | International Business Machines Corporation | Dynamic content generation/regeneration for a database schema abstraction |
-
2003
- 2003-03-13 US US10/388,074 patent/US7418600B2/en active Active
-
2004
- 2004-02-27 TW TW093105134A patent/TW200500894A/en unknown
- 2004-03-05 WO PCT/GB2004/000936 patent/WO2004081816A1/en active Application Filing
-
2008
- 2008-02-22 US US12/036,116 patent/US8032765B2/en not_active Expired - Lifetime
- 2008-02-22 US US12/036,076 patent/US8001389B2/en not_active Expired - Lifetime
- 2008-08-26 US US12/198,743 patent/US7992010B2/en not_active Expired - Lifetime
Patent Citations (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5734887A (en) | 1995-09-29 | 1998-03-31 | International Business Machines Corporation | Method and apparatus for logical data access to a physical relational database |
US5956400A (en) | 1996-07-19 | 1999-09-21 | Digicash Incorporated | Partitioned information storage systems with controlled retrieval |
US6553368B2 (en) | 1998-03-03 | 2003-04-22 | Sun Microsystems, Inc. | Network directory access mechanism |
EP0990972A1 (en) | 1998-10-02 | 2000-04-05 | Ncr International Inc. | System and method for managing data privacy in a database management system |
US6725227B1 (en) | 1998-10-02 | 2004-04-20 | Nec Corporation | Advanced web bookmark database system |
US6785810B1 (en) | 1999-08-31 | 2004-08-31 | Espoc, Inc. | System and method for providing secure transmission, search, and storage of data |
US20020078068A1 (en) | 2000-09-07 | 2002-06-20 | Muralidhar Krishnaprasad | Method and apparatus for flexible storage and uniform manipulation of XML data in a relational database system |
US6671687B1 (en) | 2000-09-29 | 2003-12-30 | Ncr Corporation | Method and apparatus for protecting data retrieved from a database |
EP1193588A2 (en) | 2000-09-29 | 2002-04-03 | Ncr International Inc. | Method and apparatus for protecting data retrieved from a database |
US20020104002A1 (en) | 2001-01-26 | 2002-08-01 | Itaru Nishizawa | Database access method and system capable of concealing the contents of query |
US7228416B2 (en) | 2001-01-26 | 2007-06-05 | Hitachi, Ltd. | Database access method and system capable of concealing the contents of query |
US20020157023A1 (en) | 2001-03-29 | 2002-10-24 | Callahan John R. | Layering enterprise application services using semantic firewalls |
WO2003014888A1 (en) | 2001-08-07 | 2003-02-20 | Centre National De La Recherche Scientifique - Cnrs - | Method for making databases secure |
US20050044366A1 (en) | 2001-08-07 | 2005-02-24 | Philippe Pucheral | Method for making databases secure |
US6996558B2 (en) | 2002-02-26 | 2006-02-07 | International Business Machines Corporation | Application portability and extensibility through database schema and query abstraction |
US6928431B2 (en) | 2002-04-25 | 2005-08-09 | International Business Machines Corporation | Dynamic end user specific customization of an application's physical data layer through a data repository abstraction layer |
US6954748B2 (en) | 2002-04-25 | 2005-10-11 | International Business Machines Corporation | Remote data access and integration of distributed data sources through data schema and query abstraction |
US7096229B2 (en) | 2002-05-23 | 2006-08-22 | International Business Machines Corporation | Dynamic content generation/regeneration for a database schema abstraction |
US20040181679A1 (en) | 2003-03-13 | 2004-09-16 | International Business Machines Corporation | Secure database access through partial encryption |
US20080148071A1 (en) | 2003-03-13 | 2008-06-19 | International Business Machine Corporation | Secure database access through partial encryption |
US7418600B2 (en) | 2003-03-13 | 2008-08-26 | International Business Machines Corporation | Secure database access through partial encryption |
US20090083548A1 (en) | 2003-03-13 | 2009-03-26 | Dettinger Richard D | Secure database access through partial encryption |
Non-Patent Citations (7)
Title |
---|
Final Office Action for U.S. Appl. No. 10/388,074, Dated Apr. 2, 2007. |
Notice of Allowance dated Mar. 18, 2008 for U.S. Appl. No. 10/388,074. |
Office Action dated Nov. 29, 2010 for U.S. Appl. No. 12/198,743. |
Office Action for U.S. Appl. No. 10/388,074, Dated Nov. 13, 2006. |
Office Action for U.S. Appl. No. 10/388,074, Dated Oct. 29, 2007. |
Office Action History of U.S. Appl. No. 12/036,116 dates ranging from May 28, 2010 to Feb. 10, 2011. |
PCT International Search Report for PCT/GB2004/000936, Dated Aug. 4, 2004. |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130246813A1 (en) * | 2011-11-11 | 2013-09-19 | Nec Corporation | Database encryption system, method, and program |
US8812877B2 (en) * | 2011-11-11 | 2014-08-19 | Nec Corporation | Database encryption system, method, and program |
US20150006908A1 (en) * | 2011-11-11 | 2015-01-01 | Nec Corporation | Database encryption system, method, and program |
US9349023B2 (en) * | 2011-11-11 | 2016-05-24 | Nec Corporation | Database encryption system, method, and program |
US12124425B2 (en) | 2022-09-30 | 2024-10-22 | Capital One Services, Llc | Stream-based database alteration architecture and methods for managing databases |
Also Published As
Publication number | Publication date |
---|---|
US20080148071A1 (en) | 2008-06-19 |
US8032765B2 (en) | 2011-10-04 |
US20040181679A1 (en) | 2004-09-16 |
US7418600B2 (en) | 2008-08-26 |
US7992010B2 (en) | 2011-08-02 |
US20080148070A1 (en) | 2008-06-19 |
WO2004081816A1 (en) | 2004-09-23 |
TW200500894A (en) | 2005-01-01 |
US20090083548A1 (en) | 2009-03-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8001389B2 (en) | Secure database access through partial encryption | |
AU2019239311B2 (en) | Facilitating queries of encrypted sensitive data via encrypted variant data objects | |
JP6419633B2 (en) | Search system | |
US8355923B2 (en) | Systems and methods for de-identification of personal data | |
US8117221B2 (en) | Database obfuscation system and method | |
US20070174762A1 (en) | Personal web page annotation system | |
US20110040983A1 (en) | System and method for providing identity theft security | |
US8204906B2 (en) | Abstraction based audit and security log model for increased role and security enforcement | |
US20090049512A1 (en) | Method and system for masking data | |
JP2002169808A (en) | Secure multi-database system | |
AU2008323688A1 (en) | System and method for providing identity theft security | |
JP2000293421A (en) | Device and method for data management with improved privacy protecting function | |
CN101002417A (en) | System and method for dis-identifying sensitive information and assocaites records | |
WO2022064348A1 (en) | Protecting sensitive data in documents | |
EP4227841A1 (en) | Systems and methods for tracking propagation of sensitive data | |
CN107409040A (en) | For code analysis tool of the recommending data encryption without influenceing Program Semantics | |
JP2005284353A (en) | Personal information use system, method for controlling the same system, map file generating device and access control policy file generating device | |
US6957347B2 (en) | Physical device placement assistant | |
US20060053479A1 (en) | Accessing a data item in a memory of a computer system | |
JP5430618B2 (en) | Dynamic icon overlay system and method for creating a dynamic overlay | |
Hansen et al. | HDI: integrating health data and tools | |
US20240005024A1 (en) | Order preserving dataset obfuscation | |
AU2011211416A1 (en) | System and method for providing identity theft security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
FPAY | Fee payment |
Year of fee payment: 4 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 12 |